Overview

overview

7

Static

static

3

74b20aecab...92.exe

windows7-x64

7

74b20aecab...92.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    21/05/2024, 18:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74b20aecabf9325c103d50df30cec48b25f338a731194edf76e651a687cf5092.exe

  • Size

    959KB

  • MD5

    146810b199458656819a822968da3de1

  • SHA1

    2994cb739dd9ef2e483cb758585ed1b2d8d3d931

  • SHA256

    74b20aecabf9325c103d50df30cec48b25f338a731194edf76e651a687cf5092

  • SHA512

    562d43770cc00b04bfdd7316b4e29a145688d2a59c0921cf8a252e4599db59caa5b9ac445ef04107ff7458045f0c9c98f4c1c523fc73d0560087ead56b2a60ab

  • SSDEEP

    12288:rRKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:0BpDRmi78gkPXlyo0G/jr

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1152
      • C:\Users\Admin\AppData\Local\Temp\74b20aecabf9325c103d50df30cec48b25f338a731194edf76e651a687cf5092.exe
        "C:\Users\Admin\AppData\Local\Temp\74b20aecabf9325c103d50df30cec48b25f338a731194edf76e651a687cf5092.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3012
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a13CF.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Users\Admin\AppData\Local\Temp\74b20aecabf9325c103d50df30cec48b25f338a731194edf76e651a687cf5092.exe
            "C:\Users\Admin\AppData\Local\Temp\74b20aecabf9325c103d50df30cec48b25f338a731194edf76e651a687cf5092.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2340
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2080
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2672
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2468

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        f47bd89838b4a02cde7d647675c85ce7

        SHA1

        dbb732a83dc463475d840a3644e1307624285137

        SHA256

        c97ecc622176cfe7438bd921d847509cb1863433f81df8a5c2119ca5f43dc1d8

        SHA512

        f95c53762a3788d93a55c2edef1380b7a85d832d0077eb6b2b7432d08a0990050c58d3f9f425030cbfce4b1b97cc86dc3bfef78dbfc876bb1f4fa19419e63300

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        8916a72b93d5fd4c6e63c8b36279b230

        SHA1

        83e3b1bfd579fbf998b2db5428819a10b25d0ad5

        SHA256

        537975086833d580dd97beff9e712f64cc41d0bf20cac16c1a04be24ed3af27b

        SHA512

        2c61138cc8800649890179c080c228da22ab9fe27f3fc1a83c52f57b349a5d3c61fc9d4a64ab53e362376f63edf99d30f0994b6070f97d09ec4868efaf8293b4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a13CF.bat
        Filesize

        722B

        MD5

        aa7024501866a4d3de23c4b2239b7f2f

        SHA1

        7f11011995a189821f8b252ec4e4be53312e362e

        SHA256

        9bb275071d04379c34af5238cb8c2b09a9db862b5014482163525cc46f7beaaf

        SHA512

        2c544aa9598e758a21da87a19f2eeb0be25a32f14bbfd40bd29ca61ad5a800392b49424f313a17bb81961f5e01e9e764a8c30fe7c570c09135d1f6239b4be49d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\74b20aecabf9325c103d50df30cec48b25f338a731194edf76e651a687cf5092.exe.exe
        Filesize

        930KB

        MD5

        30ac0b832d75598fb3ec37b6f2a8c86a

        SHA1

        6f47dbfd6ff36df7ba581a4cef024da527dc3046

        SHA256

        1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

        SHA512

        505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        29KB

        MD5

        3f5e7c4706e29143aea9c7ce1c0402e9

        SHA1

        6fa71c0ae1ea0701d9d7e0caabc266a0c33df54d

        SHA256

        2026a2e28503076f0c685503fff901cbe7120170ade846ad76be13362afe770c

        SHA512

        0199af2ac24604e012003e72cf5bad24a1949a92d2028f39a2400cb109c367f70e1a9779d48b982c70a5f90a542b598fae694360c9caf1b0eec21dd0ed625deb

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\_desktop.ini
        Filesize

        9B

        MD5

        7e956ef5a6a8d81e557bd13665d22b60

        SHA1

        7f7b593a466647d21bf3d554bf1cd4cdead3dee5

        SHA256

        67b987784bfbcfae36a56382dc0e3e7b6254efdccb5cebe31739a398a39c3590

        SHA512

        bf7a5439f4ccca6aa98e658aceb05ea68fc7ce646461f356b57b9edd318c1b0ddea2e8513dd062d750bd67ed810233782d478baa9217e40ad53ab82d43350d63

        Download Submit

      • memory/1152-30-0x0000000002B30000-0x0000000002B31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2080-99-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-33-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-40-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-46-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-93-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-556-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-1876-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-1940-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-3336-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-18-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3012-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3012-16-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download