Overview

overview

7

Static

static

3

d7fe0c1d9f...b6.exe

windows7-x64

7

d7fe0c1d9f...b6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-05-2024 18:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe

  • Size

    1.3MB

  • MD5

    59033e2a88aa99d28974153af52814fa

  • SHA1

    098e86fcb4da296d2b8c27fa7e78aabcb261bd9c

  • SHA256

    d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6

  • SHA512

    4516a6bed2104d967d1da3168a67e7578dc8c2b00aa32ea429ec2863b67b12ed80ddd000ad501bea38e85e95e61e1b1094018fe7872edd47ac0df592b16493a4

  • SSDEEP

    24576:A6teboKwzipCcbNHjjpbYsxbL7BvwswqLDA:A6teBOFeJjt8gb5rU

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3432
      • C:\Users\Admin\AppData\Local\Temp\d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe
        "C:\Users\Admin\AppData\Local\Temp\d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2208
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2981.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3036
          • C:\Users\Admin\AppData\Local\Temp\d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe
            "C:\Users\Admin\AppData\Local\Temp\d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe"
            4⤵
            • Executes dropped EXE
            PID:1700
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2260
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1080

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        Filesize

        247KB

        MD5

        b611236664f228f87f5605656b22c94e

        SHA1

        577f88b5708d114c50801323bea7ccf2aa1f572c

        SHA256

        c1ddc72e6a9125169721af39379a8312f12c14855067fc0a50b6c95f8b159bb2

        SHA512

        7e4608529275bb7906ff821ed2d439c29db22373b81558a4b1ae9c0cc5ff43fc1b6384378aa9d7e965ad7a2921b4fba57b4c6e47c98f77210b82d6b79a3371c7

        Download Submit

      • C:\Program Files\RegisterSearch.exe
        Filesize

        1.1MB

        MD5

        25801665199dbd564c0f3f9bd3463700

        SHA1

        f3efa1469198c4aa786d47361bcd45abaa88925f

        SHA256

        76ed04bcebdd2d45ebd609842ab2144907ae589ff28610251d66f057e5a3d83b

        SHA512

        f9f3fe0921b15dac81fa6411a13c0d4eafc265258cc0b97e3d397941ab9afad8e3bc4a239d41ea91bd1f7cd4fe120f5bac7caddd291da498642197a766ae3979

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        639KB

        MD5

        ff7ce6c4ffc92d1beca4883dfcfde0af

        SHA1

        4a52e320cd88765f13e2799a4980a12f788c98a4

        SHA256

        5a4e150d03f1cfadccd40a407a3ae8ec5ffbb5d28ea95dca136d67cac24fd8b5

        SHA512

        99056bcbb382e545304a33002a6cfbb7a57df663feca5a3842bf077d1126931ba78d5e04a93cbd72a7c6d9eb09005750e5cff1030d8586e26838e7634d7ad583

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a2981.bat
        Filesize

        722B

        MD5

        cce5262d5a9b77f48686e23bacf93beb

        SHA1

        cfee0715f608adcee1aaaba7a5b8dded8a062232

        SHA256

        5b1bec39bedc298dc1f445fce04e501c67ef827fe9aa9d2883c7d96c91ae405e

        SHA512

        8ef92482b11f8d2528dc2211e03c33285ca2fd64fbde908c2cbd7951e1b6c81c71c83358898e6bf88c62d806b03dffd08ae583ac6e7881784c0d7d8328121378

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe.exe
        Filesize

        1.2MB

        MD5

        1a9063c7e9f3d1225b07a64e3bf9c7ac

        SHA1

        4ebf9f7b41c73b16a220006a4ddd508d1e796095

        SHA256

        afb668011c09b9460981ab3c82c998b50efafbf1197cb0ca7c9e46d67c00b817

        SHA512

        d5e19362bf493f8783fc8b35158629405c246d8ab004be2b2141654dcd1f0048e86c2a22bfb3fbda9268b67de80c9520bbf5d14291ae9394272d5ad8730ba09c

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        ec97bb30cb318c88de256c47be810caf

        SHA1

        573eaca1e8579a591e68f29ecf10f2721eb48df8

        SHA256

        befdbd9bbc7c5452387811839a4e884cb49b62a35b94c00b7f56ce12811ee48a

        SHA512

        d8123682e897720a6974a2a6fb78ec67116965859165880128433944f697791925320b818b98f95c07dcfbeeedb3b0797111c92cbfccdb2d6d29f521c577f7c0

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-17203666-93769886-2545153620-1000\_desktop.ini
        Filesize

        8B

        MD5

        5979a5ab5d6ce7068aff133101a79c52

        SHA1

        8ec7729d3782fc978cc50f9b3217fc8309ae7733

        SHA256

        6b009cde89047fc55503dc0b3649d341e98320a0438d044bc8fb068d0c919ef1

        SHA512

        213c10a6b5b394b2736619ed0418ba715e643dfa08b5827757dd64b1718ddec6a44822ff4b192bd594997cc13bc2027d03c029537ed2f12591b370ec1f242f2d

        Download Submit

      • memory/2208-10-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2208-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2260-27-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2260-37-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2260-33-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2260-1238-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2260-20-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2260-4802-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2260-11-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2260-5265-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download