Overview

overview

7

Static

static

3

7e8e18f34b...c9.exe

windows7-x64

7

7e8e18f34b...c9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    04/05/2024, 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e8e18f34b0d3413a2723d8b59dac80fd69019dad09ef4a81bb99c0a581560c9.exe

  • Size

    957KB

  • MD5

    e8a0787a03765b7996b1c10827cad3dd

  • SHA1

    5e5cd8cc5e16845066cfb37c198f6445daa58e4b

  • SHA256

    7e8e18f34b0d3413a2723d8b59dac80fd69019dad09ef4a81bb99c0a581560c9

  • SHA512

    512fc3b6beee7ac720d0ed819110a82209e814c273aad73ccfec6aa3b6ea04b3fbdeb7bd9bb7ff55742a7a4b48e3c455c85bc362e27d9f9a6b80eddc2447e3dc

  • SSDEEP

    12288:+p7RKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:+pEBpDRmi78gkPXlyo0G/jr

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\7e8e18f34b0d3413a2723d8b59dac80fd69019dad09ef4a81bb99c0a581560c9.exe
        "C:\Users\Admin\AppData\Local\Temp\7e8e18f34b0d3413a2723d8b59dac80fd69019dad09ef4a81bb99c0a581560c9.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBD3.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2344
          • C:\Users\Admin\AppData\Local\Temp\7e8e18f34b0d3413a2723d8b59dac80fd69019dad09ef4a81bb99c0a581560c9.exe
            "C:\Users\Admin\AppData\Local\Temp\7e8e18f34b0d3413a2723d8b59dac80fd69019dad09ef4a81bb99c0a581560c9.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2572
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2356
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2620
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2588

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        252KB

        MD5

        e51b1ea24d8739a33beec03e98ea799d

        SHA1

        359852502dbf1c0e6a5b42f9bd279e3a164c5059

        SHA256

        bfee2fff789c9b51161e79e8d91a226773e5dfb5deb5f8bd2eb94d6cae2d9a61

        SHA512

        04659e8f2d599e4bc36589034ca1b8639e831f2a440ff2dc3c109b73a4d5372b34a43e1a09985623e4f7fac6fd3a4fd1255b591e88cadf234cc20c18c198c10a

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        472KB

        MD5

        88eb1bca8c399bc3f46e99cdde2f047e

        SHA1

        55fafbceb011e1af2edced978686a90971bd95f2

        SHA256

        42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

        SHA512

        149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aBD3.bat
        Filesize

        721B

        MD5

        969d70f02e384b8d9a14370c685d5f65

        SHA1

        7610d3a9ab70a5ccfea8857fed5e7f7781c61a53

        SHA256

        a31a61875c2185b791f9e54aaf4ba74cc4304e04baf07db5dfe23eb8e53bce11

        SHA512

        c40270a4e52ff8649e922b2a283c9ec47b4ed7aa9c7c46880a3692fd57c1a508d604d882aa628ff06779c125829abdc72901c38a6059a8a9573814748a596cae

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7e8e18f34b0d3413a2723d8b59dac80fd69019dad09ef4a81bb99c0a581560c9.exe.exe
        Filesize

        930KB

        MD5

        30ac0b832d75598fb3ec37b6f2a8c86a

        SHA1

        6f47dbfd6ff36df7ba581a4cef024da527dc3046

        SHA256

        1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

        SHA512

        505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        27KB

        MD5

        14b21c1058ce6446891437ad07c26093

        SHA1

        d503bcb8519e70cc49e533d93abd93fae9e0e937

        SHA256

        f31673e5f2586fc86c5951b3588df924221f49b818fccfba696260b42437bef8

        SHA512

        46893ab3ccdf2ddea3cabdd2fc2b9c97f19991af6a9e6dfbf41f6c92a766edc29fb65034606860d3676d05eed0a76578151eab6e1d854aa7d57550cd2751dc22

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini
        Filesize

        8B

        MD5

        5979a5ab5d6ce7068aff133101a79c52

        SHA1

        8ec7729d3782fc978cc50f9b3217fc8309ae7733

        SHA256

        6b009cde89047fc55503dc0b3649d341e98320a0438d044bc8fb068d0c919ef1

        SHA512

        213c10a6b5b394b2736619ed0418ba715e643dfa08b5827757dd64b1718ddec6a44822ff4b192bd594997cc13bc2027d03c029537ed2f12591b370ec1f242f2d

        Download Submit

      • memory/1196-29-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2184-15-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2184-0-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2356-17-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2356-45-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2356-92-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2356-98-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2356-702-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2356-1851-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2356-39-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2356-2540-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2356-3311-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2356-32-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download