Overview

overview

7

Static

static

3

d9fe337e5c...3b.exe

windows7-x64

7

d9fe337e5c...3b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-05-2024 22:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9fe337e5c6cc2068ac5f3831b94669c8b0297c27f8d378d8fd17a3665e2543b.exe

  • Size

    2.8MB

  • MD5

    50e7b8546b68608b3799cccca6dcd27f

  • SHA1

    61180f195f6007cd883848bf9753857ed01d706e

  • SHA256

    d9fe337e5c6cc2068ac5f3831b94669c8b0297c27f8d378d8fd17a3665e2543b

  • SHA512

    89c4a1832470822c05dddda167ea130a98df25526cd8c1850b82b0222a9c6f90634a1cc42cb27141fde58435cfe85344f9828c18f1861586e8c37f85f62fdf17

  • SSDEEP

    49152:E6gLKJuMarhVnMFwTH8/giBiBcbk4ZxZ2DqFeVMhuxcPh:hd1XdhBiiMa7

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\d9fe337e5c6cc2068ac5f3831b94669c8b0297c27f8d378d8fd17a3665e2543b.exe
        "C:\Users\Admin\AppData\Local\Temp\d9fe337e5c6cc2068ac5f3831b94669c8b0297c27f8d378d8fd17a3665e2543b.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aABF8.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          PID:2204
          • C:\Users\Admin\AppData\Local\Temp\d9fe337e5c6cc2068ac5f3831b94669c8b0297c27f8d378d8fd17a3665e2543b.exe
            "C:\Users\Admin\AppData\Local\Temp\d9fe337e5c6cc2068ac5f3831b94669c8b0297c27f8d378d8fd17a3665e2543b.exe"
            4⤵
            • Executes dropped EXE
            PID:2952
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2304
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:3036

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        916f61e09f99409543151ddec18e89ae

        SHA1

        3ce6d1dae5340aab7ccfd915d8088c20116d7ea4

        SHA256

        6d88bf8dacb1dec0dd52550df6601e3631e8874f52404d03877e3843682d6d47

        SHA512

        ca78a48d577d64d84cb1e48462a55b8258bbb2d81e219766566a16f03a9f9aec996edc5c58b4303361f89091cd11c4c6069a6740a3c9212a2c3e441b79cb3564

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aABF8.bat
        Filesize

        722B

        MD5

        5d3a0833d79afdda65867f7ca73000d9

        SHA1

        93a929fb2c4ca5259eb677111396b55372449664

        SHA256

        df1f69e9f502c912ffdb05836830890467c14c8e47ed99cbf0b2dc1c79c7607f

        SHA512

        7e24a4c20eb9c8f9aa8d497661e2dbbc53ecd31f5f5c9e8180827daa7578c67ec156d51adf2f9b6034dc95dc08acb95d76392ffbeeddf06368ce28162520c7bd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\d9fe337e5c6cc2068ac5f3831b94669c8b0297c27f8d378d8fd17a3665e2543b.exe.exe
        Filesize

        2.8MB

        MD5

        095092f4e746810c5829038d48afd55a

        SHA1

        246eb3d41194dddc826049bbafeb6fc522ec044a

        SHA256

        2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

        SHA512

        7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        0c2a885df5fa2ebcae91564ec5088618

        SHA1

        fb00dcefb9f0655bc23c1a1673df3b19fe71935b

        SHA256

        565163946b3944c4717d9ab9900dd3f683ebd0d7f8573b96d2f667c34e514fba

        SHA512

        cc9d7f60b562033e619eb1ed410c8cd176a7524d89bacf0eced9d7b434624538626f75d887d0ee5f0f64617524dc894c0b9adcd9ca52beec0e09473295fa6768

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini
        Filesize

        8B

        MD5

        0282826728a8bfe9c3f290391e4f323c

        SHA1

        ab69946ecc2824015e04a669b8434e8eb2a658aa

        SHA256

        0c3ddb95f5308286721e2d55c16a3170674b54fc8d17c1f02bee1b6850ce2ee9

        SHA512

        fde2cb3a9b14fa79fdb7615c094a85aee3baf100511872c0b3986349edefe5a2dc4513929587852c1672e9632c8a6c95284fab82397133dec597bb8fe618fb0e

        Download Submit

      • memory/1200-31-0x0000000002680000-0x0000000002681000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2292-17-0x00000000003C0000-0x00000000003F6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2292-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2292-18-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2292-15-0x00000000003C0000-0x00000000003F6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2304-20-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2304-40-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2304-46-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2304-92-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2304-98-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2304-126-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2304-1851-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2304-3311-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2304-33-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download