Overview

overview

7

Static

static

3

e240086105...2f.exe

windows7-x64

7

e240086105...2f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 18:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2400861056296c6113b59f1e628575a1641c386ac68d0de9a1035ac6cf7b22f.exe

  • Size

    227KB

  • MD5

    901e090fe2959e7eeab56a8f95556bfb

  • SHA1

    ae99e68db72ff4ed4ac0958c0f8f343e6c37b544

  • SHA256

    e2400861056296c6113b59f1e628575a1641c386ac68d0de9a1035ac6cf7b22f

  • SHA512

    37bdd169452732ed56705a9d465d57f1c72130d24627f6e7b0d882a79ea797cfb6a7540d144ddb105e54a53bb1fc97cc74395203dcc45ed49bd48d21b46f6d00

  • SSDEEP

    6144:jCuJWdeKzC/leySe8AIqpoHbnDns1ND9m:i/VyV8hEoHbI3A

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1124
      • C:\Users\Admin\AppData\Local\Temp\e2400861056296c6113b59f1e628575a1641c386ac68d0de9a1035ac6cf7b22f.exe
        "C:\Users\Admin\AppData\Local\Temp\e2400861056296c6113b59f1e628575a1641c386ac68d0de9a1035ac6cf7b22f.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1640
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB76.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2980
          • C:\Users\Admin\AppData\Local\Temp\e2400861056296c6113b59f1e628575a1641c386ac68d0de9a1035ac6cf7b22f.exe
            "C:\Users\Admin\AppData\Local\Temp\e2400861056296c6113b59f1e628575a1641c386ac68d0de9a1035ac6cf7b22f.exe"
            4⤵
            • Executes dropped EXE
            PID:2748
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2608
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2560

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        59b7aae3cb37d1edacd55159253dd510

        SHA1

        ceabb6ffbb679732784c01f9d3631898546043a6

        SHA256

        44ead1f1ed8b1136baf384c692ebd3547d6d7a9a2398dc32774f625ad3849dd9

        SHA512

        d1679594a2f6417c01602781436b8766af5f7c470f500885e7bf74ec60e9006741aad5c164e3088a0785f3ff3b5d91ac91325c29e9d51b0abbbb24cdda6ea778

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        6eabc463f8025a7e6e65f38cba22f126

        SHA1

        3e430ee5ec01c5509ed750b88d3473e7990dfe95

        SHA256

        cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

        SHA512

        c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aB76.bat
        Filesize

        721B

        MD5

        f30a52268d38ceec0fda914424081706

        SHA1

        27e88f722aa86030dda301f47503d365d0c5bf3c

        SHA256

        fe1aa993f523eec3d596571a00ec2f4cebe6789e946f96827bccf0797bcb668b

        SHA512

        d558edadb772d457ab13908a8fd80f1c3afd80bc90a3f0ad21bb60a758d9fbd965771735b87b4792e7013e4871ead139477cdad81fb175ebb1eefe1a458b1678

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\e2400861056296c6113b59f1e628575a1641c386ac68d0de9a1035ac6cf7b22f.exe.exe
        Filesize

        198KB

        MD5

        e133c2d85cff4edd7fe8e8f0f8be6cdb

        SHA1

        b8269209ebb6fe44bc50dab35f97b0ae244701b4

        SHA256

        6c5e7d9c81a409e67c143cd3aed33bddc3967fa4c9ab3b98560b7d3bf57d093d

        SHA512

        701b7d1c7e154519d77043f7de09d60c1ff76c95f820fc1c9afca19724efb0847d646686053354156fd4e8a9dab1f29a79d3223f939a3ff1b3613770dc8603b1

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        87e1376a8f4d0187c9cd966e5387fba6

        SHA1

        58bdbcb537922706c165607eaf003f2189bc99d3

        SHA256

        f232f879c9a948f3a8697062e75ed55b0e34c10b4c9aa164f90a8a12e0816895

        SHA512

        33219331ace9c8f8ab0a670c9a1f264dfe5e6b50443922d8dac485cd7dc4fd8b63321433c555d6484e038e04985656ce417b4b7a8ffbd8c43b2ad8a7c45dbff4

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini
        Filesize

        9B

        MD5

        917c6bf65db2dfa12e70e5aa6a061a01

        SHA1

        bd0d9f217fd74efd784ad4a1b41f330b36e64edf

        SHA256

        8ad43ce062fe590809844ebdf64f2eb0f7d32357c89baac5640ff132dfcfdd19

        SHA512

        21a71205a9abfafcf7fef2a1697ae78a6fe14591bef85f86137d5355b5d40e1b8ca810e351256e0dc2973677e9b4452014126d3e5e81b0c3f1fcbd1a087481cb

        Download Submit

      • memory/1124-31-0x00000000025A0000-0x00000000025A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1640-15-0x0000000000220000-0x0000000000256000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1640-17-0x0000000000220000-0x0000000000256000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1640-18-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1640-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2608-40-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2608-46-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2608-92-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2608-98-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2608-633-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2608-1851-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2608-20-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2608-2407-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2608-3311-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2608-33-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download