Overview

overview

7

Static

static

3

b1235a6f6a...86.exe

windows7-x64

7

b1235a6f6a...86.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-06-2024 18:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b1235a6f6ae28d9a4d0b0b121ae32e66066e0ee3f429f0f3dadb2f082fe9c986.exe

  • Size

    66KB

  • MD5

    b6035ab767a750f410570e15e1aca36f

  • SHA1

    0020882553aac04af5e45393c06f32a69f914cd9

  • SHA256

    b1235a6f6ae28d9a4d0b0b121ae32e66066e0ee3f429f0f3dadb2f082fe9c986

  • SHA512

    034113c8e2355a047c58a1794caebd57c179926a14e64e54dbbc00124a5697be6335afed685fc3a02a6749d3ba1e5f99842769e542d37195e7cc060a0a4b23ca

  • SSDEEP

    1536:p9H3SHuJV9NBriw+d9bHrkT5gUHz7FxtJ:plkuJVLBrBkfkT5xHzD

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\b1235a6f6ae28d9a4d0b0b121ae32e66066e0ee3f429f0f3dadb2f082fe9c986.exe
        "C:\Users\Admin\AppData\Local\Temp\b1235a6f6ae28d9a4d0b0b121ae32e66066e0ee3f429f0f3dadb2f082fe9c986.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2300
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1A64.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2212
          • C:\Users\Admin\AppData\Local\Temp\b1235a6f6ae28d9a4d0b0b121ae32e66066e0ee3f429f0f3dadb2f082fe9c986.exe
            "C:\Users\Admin\AppData\Local\Temp\b1235a6f6ae28d9a4d0b0b121ae32e66066e0ee3f429f0f3dadb2f082fe9c986.exe"
            4⤵
            • Executes dropped EXE
            PID:1976
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2328
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2984
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2640

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        d69c1bd8b853d4bca99cf06543f37975

        SHA1

        18ac2586187cd811d3f507d65aa3c82e162078fb

        SHA256

        fd6c923086cc16dede115c0cd3bac9dfd2ef10c599d264d0c3f2f60814371c97

        SHA512

        7efe98bcea84259bb1725634032130f98f9608c09adf40d4172b4470ddf88de75fb4f5d5a7afb7335ad79add028e72444f2ebe7edf2ced4e62b888a3a8c71ed6

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        1ca79e3c2539763b0aaac5de49795afe

        SHA1

        2d240aef9a2cce22578f42ebecd3058e37a404a8

        SHA256

        e3e49eceb810b34fc826d70c6556d927a363f29c90b347ee4cfd61d7ba3ff2d9

        SHA512

        4e24d3ebcefa6545d85517bbc5bff3285f85a5967da1642a6e4e53bc2c41efc8b9092a3bbb56c1670b215d623ff5c320bcb06f654ac97482a5dff0da208349e6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a1A64.bat
        Filesize

        722B

        MD5

        ac694005013d53c7a15518d4944c61aa

        SHA1

        5de13072bac3df8b701a194d428c54050b6c4a3a

        SHA256

        4e551d28c4b9f513c823b20dc81fb333c10e9f00b2c23da6b6165f426e132b47

        SHA512

        409080bba92f4c7198d53baafc7580cf85adb77ed6e1a507110f4cf67ea25acdc985f4069c1822b48e5a85058780f6e78e03b846f6f4345bb442b6ac4ec0755f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\b1235a6f6ae28d9a4d0b0b121ae32e66066e0ee3f429f0f3dadb2f082fe9c986.exe.exe
        Filesize

        36KB

        MD5

        9f498971cbe636662f3d210747d619e1

        SHA1

        44b8e2732fa1e2f204fc70eaa1cb406616250085

        SHA256

        8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

        SHA512

        b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        936348d6d0687d8084404acdbf12ff7b

        SHA1

        4cd7c374860506b5f4b957eaa326258a8b921ab8

        SHA256

        c20c8daf0f87f2789e602c119b0b6f6db784f5ee36c65d349ac3b8cec6dcede9

        SHA512

        d0230ed5429e28ed6c49db6baa13a5dee2afa3c76b092e10de38aaba65acb5203aa79656ff7751060f4d8c1efd7e5900bb1d98ee62dd1b1bfd472673bebd9eac

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini
        Filesize

        8B

        MD5

        9bf5ad0e8bbf0ba1630c244358e5c6dd

        SHA1

        25918532222a7063195beeb76980b6ec9e59e19a

        SHA256

        551cc5b618f0fa78108dd2388d9136893adb10499e4836e9728f4e96530bf02f

        SHA512

        7fdce76bb191d4988d92e3d97ce8db4cae1b5c1f93198bffc4e863d324d814246353200d32ea730f83345fcb7ad82213c2bcd31351e905e473d9596bc7b43ad3

        Download Submit

      • memory/1196-29-0x0000000002500000-0x0000000002501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2300-17-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2300-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2328-31-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2328-38-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2328-44-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2328-90-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2328-96-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2328-565-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2328-1849-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2328-2030-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2328-3309-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2328-21-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download