Overview

overview

7

Static

static

3

f3c908fcfa...3b.exe

windows7-x64

7

f3c908fcfa...3b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    05-06-2024 05:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3c908fcfa2458ee26330d428452d8de4bf8a155a8104bc2ead6d31cf670113b.exe

  • Size

    1.4MB

  • MD5

    5f1b08b90203ae6096cefb292497dbd8

  • SHA1

    2af27bfac0881d689819a1eeae9fc59faa5b5e86

  • SHA256

    f3c908fcfa2458ee26330d428452d8de4bf8a155a8104bc2ead6d31cf670113b

  • SHA512

    43d8269d3d82eb49316bcc5aaa4254ebe7e7a82852a9103f68cb34de953e9dea7b438ec226272682e45699906f4f53ba46f28c2f56008cf429c911cd3c57f022

  • SSDEEP

    12288:1/JHKuRszP8SDIPT8FgswcC38AER32BF7gxX1i5FtdA8wfrk4s/CFoee7BwoVn5d:1/e78r8FfC3K32nUnCdAaKu++nO

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3c908fcfa2458ee26330d428452d8de4bf8a155a8104bc2ead6d31cf670113b.exe
    "C:\Users\Admin\AppData\Local\Temp\f3c908fcfa2458ee26330d428452d8de4bf8a155a8104bc2ead6d31cf670113b.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1AD1.bat
      2⤵
      • Deletes itself
      PID:2448
      • C:\Users\Admin\AppData\Local\Temp\f3c908fcfa2458ee26330d428452d8de4bf8a155a8104bc2ead6d31cf670113b.exe
        "C:\Users\Admin\AppData\Local\Temp\f3c908fcfa2458ee26330d428452d8de4bf8a155a8104bc2ead6d31cf670113b.exe"
        3⤵
        • Executes dropped EXE
        PID:2708
      • C:\Users\Admin\AppData\Local\Temp\f3c908fcfa2458ee26330d428452d8de4bf8a155a8104bc2ead6d31cf670113b.exe
        "C:\Users\Admin\AppData\Local\Temp\f3c908fcfa2458ee26330d428452d8de4bf8a155a8104bc2ead6d31cf670113b.exe"
        3⤵
        • Executes dropped EXE
        PID:2516
    • C:\Windows\Logo1_.exe
      C:\Windows\Logo1_.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\net.exe
        net stop "Kingsoft AntiVirus Service"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2136
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
          4⤵
            PID:2636

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\$$a1AD1.bat
      Filesize

      722B

      MD5

      2e962b06a537f9d816eb3d8aa4214d18

      SHA1

      165b39dab3019fb9db6e6fd77349856c7a97af5b

      SHA256

      aa17cb76ea3cd20e1c81ff47aa3e03d6487f946dd60898347f580a547479954a

      SHA512

      b72049ed28a3c5035f09b4f77f8d4c1ebf48d36c430b4d9de6d750db99a2dfc2405ba59ef4b4088c2dc668005d7835b5c899ce649ad19e33c44946e137c515fa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\f3c908fcfa2458ee26330d428452d8de4bf8a155a8104bc2ead6d31cf670113b.exe.exe
      Filesize

      1.3MB

      MD5

      8c8f836d800e90714a97bc03f6115bc6

      SHA1

      fc67a3917c813d5ac8d7c2b051071111ed35c398

      SHA256

      7157422d57f76d8fb5824c21c8a336748ff99bd8e84f683396d014d290a7c6c4

      SHA512

      cc25ce20b0cc11401a5da1d6f22b4f3295ecdeaded8a564eb14117134f07e2e31e545bc036576360985eee39c44beb2a5e37376bf34b167718644208c86cff5b

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      66KB

      MD5

      bac152d659a8e5c8b297ee885a362ab7

      SHA1

      e35922075011a55e96a69695645985ed2e4d7336

      SHA256

      db778391e2816d919f43276cff95d64e544e28e8f4262a8722e9e904038af413

      SHA512

      ec5a747cd6602130886b0c04638eac550a8dc287368ff3fba6b526bd83f4f678b8ebc3d6482a0282aba720af556df91ae986cccef36c5b77465c4f0003c9a150

      Download Submit

    • memory/1700-13-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2028-60-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2028-61-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2028-63-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2028-69-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2028-72-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2028-201-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2028-277-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2448-51-0x0000000000740000-0x0000000000741000-memory.dmp

      Filesize

      4KB

      Download