Overview

overview

7

Static

static

3

8d04a9e3f1...3e.exe

windows7-x64

7

8d04a9e3f1...3e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 18:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d04a9e3f12a63e43a17e0a8e90ef4473ce30aedf829016727a528fa98aee23e.exe

  • Size

    86KB

  • MD5

    b44581b65079ea9344cbec11d6215eb4

  • SHA1

    c73949cfd7ae180851e6824f62c973150a1c77ab

  • SHA256

    8d04a9e3f12a63e43a17e0a8e90ef4473ce30aedf829016727a528fa98aee23e

  • SHA512

    ab54d35d89f3e704e34aab47e62cd3f04731cbb5eb2b9e1e54a623e8ad1af3ac09afb27dcf8a45bdaab4cc9afba78fe0cc3ca70a1e7b74183a244f1e5ec9e1d4

  • SSDEEP

    1536:vF3SHmLKarIpYMyapmebn4ddJZeY86iLflLJYEIs67rxo:vFkF3psLK4ddJMY86ipmns6S

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\8d04a9e3f12a63e43a17e0a8e90ef4473ce30aedf829016727a528fa98aee23e.exe
        "C:\Users\Admin\AppData\Local\Temp\8d04a9e3f12a63e43a17e0a8e90ef4473ce30aedf829016727a528fa98aee23e.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a15F1.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2000
          • C:\Users\Admin\AppData\Local\Temp\8d04a9e3f12a63e43a17e0a8e90ef4473ce30aedf829016727a528fa98aee23e.exe
            "C:\Users\Admin\AppData\Local\Temp\8d04a9e3f12a63e43a17e0a8e90ef4473ce30aedf829016727a528fa98aee23e.exe"
            4⤵
            • Executes dropped EXE
            PID:2708
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2004
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2688
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2772

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        252KB

        MD5

        0b2679dc1eb882abf56d11ca591aeb76

        SHA1

        7a5c7ff9a42f9c84873d269d1e776a89045a1f45

        SHA256

        3d1b129d45f7fe6c861e380906a0c97576a804240426a0d2408f131cbaedc354

        SHA512

        8661ecb16631ac033db4d7ee8aa291647ca3311888988693633acd1a69fd9d6eb890c94c97656602c47964219a082f875bce41710fe036cf546c29ae49e2e114

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        472KB

        MD5

        88eb1bca8c399bc3f46e99cdde2f047e

        SHA1

        55fafbceb011e1af2edced978686a90971bd95f2

        SHA256

        42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

        SHA512

        149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a15F1.bat
        Filesize

        722B

        MD5

        22cb67b3a10b5f55c4751c3efb24e9a5

        SHA1

        6df5222ff5146e2f31d1d209bfb75dd7bd7845ec

        SHA256

        336aefd15f9bc3fb5e7dd42969bb58b40e17ae68dfa7e6af6902032a13199bd2

        SHA512

        99ff4829f5155977765dc1ffbdb2cddc83aea21fb286584b463f75a8fc311c9ce2eefd950240538323586556ed38c09866b50196cff0462f30e24415fd69a33e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\8d04a9e3f12a63e43a17e0a8e90ef4473ce30aedf829016727a528fa98aee23e.exe.exe
        Filesize

        59KB

        MD5

        dfc18f7068913dde25742b856788d7ca

        SHA1

        cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

        SHA256

        ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

        SHA512

        d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        27KB

        MD5

        d0d42004d5e14fecf764dc99963c82fa

        SHA1

        2b05a3b17e23a16df2a838d31d8c4113993dd833

        SHA256

        fe58d080c6a43f69deaec1b3fa9ffa2963dd9a3384b6f3aa9895c4dd2c485a8f

        SHA512

        72f9b71e46512dfcec9bd294930cc9a01acdb8c5b33a3c9a48c9475889f300e35d13191e5868c9798fd335af5a32793f19180b9d015ec18d2b112d0ac1749bee

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini
        Filesize

        9B

        MD5

        3b22ce0fee2d1aaf2c66dcd142740e29

        SHA1

        94d542b4bb9854a9419753c38e6ffe747653d91c

        SHA256

        8284772f28954a109c16f1583e6e34e29f06673b34e04f268bda961b57ba9f79

        SHA512

        efd4900a49624170e51ea401f0845634f49484a49335845258dc3d41a12e2022bf413a6751fcbcfd1ec68cde506f3363beae57f20e8eaca8b214d28baa138c5b

        Download Submit

      • memory/1208-30-0x0000000002D00000-0x0000000002D01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1776-40-0x0000000000220000-0x0000000000255000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1776-17-0x0000000000220000-0x0000000000255000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1776-16-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1776-0-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2004-39-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2004-46-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2004-92-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2004-98-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2004-651-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2004-1875-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2004-2213-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2004-32-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2004-3335-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2004-19-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download