Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 10:43

General

  • Target

    b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe

  • Size

    100KB

  • MD5

    50458e0e3de0cd602647b63607892642

  • SHA1

    c5f443fd65e717ecee1af1f2148be813283c299d

  • SHA256

    b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693

  • SHA512

    8a3055fcaa672def4b1efd38b9bedff8f3ef639a3fc6c113a4d793cfa5169ddcd4d6c1c8b9cec5160ea5eb5f0d18e861c8915cef801075074a9632989c7fd371

  • SSDEEP

    768:Uf1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLHxurmSoqCzX3zIp8J80CpxuUe0Cp:UNfgLdQAQfcfymNnLzkTEuL7lfT9S

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe
        "C:\Users\Admin\AppData\Local\Temp\b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2244
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA035.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\Users\Admin\AppData\Local\Temp\b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe
            "C:\Users\Admin\AppData\Local\Temp\b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe"
            4⤵
            • Executes dropped EXE
            PID:2116
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2800
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2524
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2112

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

              Filesize

              251KB

              MD5

              10e927db6aae50e89fcb4d441d9e27e1

              SHA1

              6a2250c03aba8fe7a9c388742db5ac4e473fa178

              SHA256

              a68e60f5bc35fdb50525110f44ad636498278629d38a3854369e9a93ed70ee19

              SHA512

              1d6c8b2d48403d037fc31ffeee690ca956ed8595671e1400c8dad69347ac0749d94498b00feec325575d98d300c0694d0083ca7e2e72a124ff45e9f74dd09227

            • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

              Filesize

              471KB

              MD5

              4cfdb20b04aa239d6f9e83084d5d0a77

              SHA1

              f22863e04cc1fd4435f785993ede165bd8245ac6

              SHA256

              30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

              SHA512

              35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

            • C:\Users\Admin\AppData\Local\Temp\$$aA035.bat

              Filesize

              722B

              MD5

              d5bb01617a7058ad5ccf3ed5bd556979

              SHA1

              938196286bc9287afb06317bf8db165303441ffe

              SHA256

              cac2be80e8796c567eeb24afe9d27135a0e853efb2c9ff9981a5f6ceb36cc2c0

              SHA512

              f2fd756be448e13ac117e5471667ecb099fe4440af69ec9910cb8b9a3571cf7d5275decaf186f90c87e20c8e380dace4cfc271a73a37f6d849ee960014906630

            • C:\Users\Admin\AppData\Local\Temp\b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe.exe

              Filesize

              74KB

              MD5

              545d1e26963a478eee9bb844caac1802

              SHA1

              cfb64537a634a1f7111ab799c05a706a0869b55a

              SHA256

              b88ea7dadb71946c6b5d9b6a2c6c974cd5b6a29408eb63bde7953713057f3f7d

              SHA512

              45ce1c2a4be515e19633a704a8b92cc0756bf268e942b5d9e60ae1e0492bf82486af1c91162e1595b5a6742134a52e98012ab25d97216615b997121e30d20a74

            • C:\Windows\rundl132.exe

              Filesize

              26KB

              MD5

              e7093a12cfd837f03fc2aa86eaa886ba

              SHA1

              bfeb2bd83d5d07adb9e0df6d23177660982f884d

              SHA256

              9ce4f790a3ad9cb93ba0b875d0888db7e560fbbbceb022a1624252a26dde4db2

              SHA512

              8ff9f31ff0e19431aec46a5ba04387ea145f42d4480911f5ea07deb9e8e48b6ce631d919746fa7446568a3a5e56c23a92f1e632379580cd286e7bdcc04350f55

            • F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

              Filesize

              9B

              MD5

              a470ca2426c102d035971b2e504d921b

              SHA1

              1720ef61e5c8e2ad6da9992a78940228fc81d615

              SHA256

              13721d3153b316d1b54c64b67de19ae5147cb78e332448e6b800f6d510c269f5

              SHA512

              c12907d26eac47d219aaa47b11d243738b0e698f898f9f2bd199652bc094197227ce12bc5fc96f5da25f1fd7b5904fe71ee3792105b05ac13a135d89aa1c1831

            • memory/1192-30-0x0000000002270000-0x0000000002271000-memory.dmp

              Filesize

              4KB

            • memory/2244-16-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/2244-0-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/2800-21-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/2800-45-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/2800-91-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/2800-97-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/2800-271-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/2800-1850-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/2800-39-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/2800-3310-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/2800-32-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB