Overview

overview

7

Static

static

3

afccb8fdcb...d8.exe

windows7-x64

7

afccb8fdcb...d8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2024, 04:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    afccb8fdcb2f0344a71a8dfd8389ba8babadab42ac662b4908f5eb11c2158ad8.exe

  • Size

    419KB

  • MD5

    ae07471ce4038f0ee5493bbee70a791b

  • SHA1

    f49b164e4d57174001a8fde8f552eec5b10957f8

  • SHA256

    afccb8fdcb2f0344a71a8dfd8389ba8babadab42ac662b4908f5eb11c2158ad8

  • SHA512

    09a65329350cf9f21fe0e4eff436a7c3f254e391b1c44763ebf95d5073cf75b01e8ca23425d9437a08fe6f2391dcbdc8602214f0358fef84b4e84d0d25aa277e

  • SSDEEP

    12288:+7+NnW3gaHC2zUM2WJoROZVXk8hbodzbTw8x0Cx+:+7AWx5k8hb0HTw+x

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\afccb8fdcb2f0344a71a8dfd8389ba8babadab42ac662b4908f5eb11c2158ad8.exe
        "C:\Users\Admin\AppData\Local\Temp\afccb8fdcb2f0344a71a8dfd8389ba8babadab42ac662b4908f5eb11c2158ad8.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a252D.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2168
          • C:\Users\Admin\AppData\Local\Temp\afccb8fdcb2f0344a71a8dfd8389ba8babadab42ac662b4908f5eb11c2158ad8.exe
            "C:\Users\Admin\AppData\Local\Temp\afccb8fdcb2f0344a71a8dfd8389ba8babadab42ac662b4908f5eb11c2158ad8.exe"
            4⤵
            • Executes dropped EXE
            PID:2144
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2460
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2640
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2796

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        54c5bafca47fd98082775cde150baca5

        SHA1

        d690d232c9fe3c96c08b0c6f09f33247dbbfa24d

        SHA256

        02a54f80ef13a162345855375dcbf2ad3d5fcbe40fbc39faa41442490b4e95dc

        SHA512

        114df1cb4f212c607d6219ff576357231a7b7b5cb710a269de4dd8d6dca47ccf6962d6412e72c7cad255a41a0bab266d8bfc91cf4051574a29eb8d26993b916b

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a252D.bat
        Filesize

        722B

        MD5

        9f65978e7f7cc57c6cde0b47232e250c

        SHA1

        0e46a61368909989efa3f8b71ee258f3f5cd69e4

        SHA256

        e49f68fded8e9dd15531393805b5d2ed8202ba4db0055b87e535a7690c3c5083

        SHA512

        8564e56fe3ad430bc4d52f082a31a5bb7e22417d91cd02ed26d277b773dda08f987eda7c25673eb31f354d1130e4c98c764de1b6dc5fa3b83957340c45c521ea

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\afccb8fdcb2f0344a71a8dfd8389ba8babadab42ac662b4908f5eb11c2158ad8.exe.exe
        Filesize

        392KB

        MD5

        ec3fd88c7b552c1e380b4819a6dbacf2

        SHA1

        d1213f26e8fd6975a975b52e2677dc02a4a4d85e

        SHA256

        14b33d10bb9ac0081d66137295ca0653665cc7299d5508bb08e7494e8ce5ab0a

        SHA512

        edcd243df3429652c052c9a0d7dd57ee141d5743d2bf8f7d5bd0c6c9a27d40da6da39d6da2582837268276a2ed4133a37b84d998ecbc6a61bbe15b09148ee798

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        a0a0986d9acf60095b1f86eeb6c1e0bd

        SHA1

        e90f018d99d4af17f0c3df0203db71c45d7a20d1

        SHA256

        adade822b1c385b01ba5d19dfd6d3140a0951df0c572802cfbe34c4c5157203b

        SHA512

        9ae080c368e1d1809a251bbf71efbcfc6678f67c55c8a230afc8fbbde82283e9b44411923cf4f76a79c07d99f6507e85d441e6b99a84fd8c8da134447e3caa85

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini
        Filesize

        8B

        MD5

        9bf5ad0e8bbf0ba1630c244358e5c6dd

        SHA1

        25918532222a7063195beeb76980b6ec9e59e19a

        SHA256

        551cc5b618f0fa78108dd2388d9136893adb10499e4836e9728f4e96530bf02f

        SHA512

        7fdce76bb191d4988d92e3d97ce8db4cae1b5c1f93198bffc4e863d324d814246353200d32ea730f83345fcb7ad82213c2bcd31351e905e473d9596bc7b43ad3

        Download Submit

      • memory/1196-28-0x0000000002540000-0x0000000002541000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2460-95-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2460-30-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2460-37-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2460-43-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2460-89-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2460-458-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2460-1872-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2460-3332-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3056-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3056-12-0x0000000000220000-0x0000000000254000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3056-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download