Overview

overview

7

Static

static

3

4e935354e1...99.exe

windows7-x64

7

4e935354e1...99.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    11-05-2024 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe

  • Size

    127KB

  • MD5

    d68a482f70846832ab29b6aecefab6a8

  • SHA1

    7796c513812623a9b4bab582fc0ef1f106a55906

  • SHA256

    4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899

  • SHA512

    895ca06a79fb2ca2019556b76683c91b2184c6dbc29e41b7e9ed812c26a4fac2b817cf17752542e9c6ef440057b47a82e69fb18fdc89b984f671d0c973b1220c

  • SSDEEP

    3072:p9kuJVLxhUBf8Bo/mu+YDfYz8KrRVwWEhPt4zB+yNFp0:4uJVG7/fYfLnzB+AFa

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1168
      • C:\Users\Admin\AppData\Local\Temp\4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe
        "C:\Users\Admin\AppData\Local\Temp\4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a277E.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:3068
          • C:\Users\Admin\AppData\Local\Temp\4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe
            "C:\Users\Admin\AppData\Local\Temp\4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe"
            4⤵
            • Executes dropped EXE
            PID:1212
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2616
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2608
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2668

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        8916a72b93d5fd4c6e63c8b36279b230

        SHA1

        83e3b1bfd579fbf998b2db5428819a10b25d0ad5

        SHA256

        537975086833d580dd97beff9e712f64cc41d0bf20cac16c1a04be24ed3af27b

        SHA512

        2c61138cc8800649890179c080c228da22ab9fe27f3fc1a83c52f57b349a5d3c61fc9d4a64ab53e362376f63edf99d30f0994b6070f97d09ec4868efaf8293b4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a277E.bat
        Filesize

        722B

        MD5

        cdfcced305777ed47ba7e69541d4a054

        SHA1

        2ee8f083409c441a29a318ee5a4a7889ef040b5b

        SHA256

        6a359582ebf0270d2401f59993891cd1f4c3c0930ab704371d881d8b44d301da

        SHA512

        1005d81bcea431c748eea4c34b018d9ddcede0a267fbae7cf4589755961f892332af0a7ba3af0824a02e160c0715c9148aabdb5ef27ef2348f9bae070012094e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe.exe
        Filesize

        98KB

        MD5

        b8d34226a11443d575f205e3dc9d87e8

        SHA1

        f1952c7a285664816ae09ce1df8a79d1d49f3dbf

        SHA256

        57db243b4fbae3ee90c0f52e0d6871bcd47e8d23236381f051704350c8297f7c

        SHA512

        181229544e43348d08ac0be3f03e4572baa5df255de5db79466904857016e670c130177035492159eb077c5629857741430639bee7c9552d17f7ae960403c82d

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        ca7aead79b7295c052be33014e4ed990

        SHA1

        a768ad348a64c11d69c5e909871beb9361d2c16b

        SHA256

        13ffeb88b5674f2f8588cff12c5e4e0a2dab8843a1e5e0ddcdc1e3fa8e10a7a7

        SHA512

        4fc323fd0aa80bbdaa85d7c37032ed92b54817f55a07976b9a45eb65e77cdd80cab98c34fd38b9c2f3a9cadbf878396bf9ce196b2f9168cbebf4a9107e191f26

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini
        Filesize

        9B

        MD5

        db64fea40b8b0f0d620ef2ecc6eadbca

        SHA1

        51736590bfbfbac961899ddcc9be998bfeabd3d5

        SHA256

        946d3f6b9ecc2fa53895526caf79e41850ad594f22a240d93f8bb7eb286d70f8

        SHA512

        b70e24f5930090ac0c9a584f3810d41af8de5562c6b78f6979ea97c929edc18d57bedb9af335d19307aa0db00004aa5a4e553f24ac884365d8bd899d6f3258c0

        Download Submit

      • memory/1168-30-0x00000000024B0000-0x00000000024B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2400-17-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2400-12-0x00000000002A0000-0x00000000002D6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2400-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2616-32-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2616-39-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2616-45-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2616-91-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2616-97-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2616-508-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2616-1874-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2616-3334-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2616-19-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download