Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12/06/2024, 23:42

General

  • Target

    4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe

  • Size

    66KB

  • MD5

    a878b58aacb81b190eb1c0a7de1df471

  • SHA1

    801d617704eb88f0c6c3fb243ae189494b6964af

  • SHA256

    4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c

  • SHA512

    5533b38cdfe0f9412967278b958fc13fc9b494ac7c9f062633217a51f6bc8ae20b8a9602161c4d27d34c539aade1feeeae226656967b094ef2cf231957a1cf02

  • SSDEEP

    1536:kIfgLdQAQfcfymNg33CLlAJmiRTOlfm7dxh:/ftffjmN83kAJJaMh

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1188
      • C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe
        "C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2180
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2D28.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe
            "C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe"
            4⤵
            • Executes dropped EXE
            PID:2752
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2548
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2556
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2724

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

        Filesize

        251KB

        MD5

        f94afa1cae163777a4ead07058d9b026

        SHA1

        f9076e8e06e3f5eaf76ce771473be0b0045fc3e9

        SHA256

        cd34b8f29d1c48674d4079c529efef3554200bfcef576bb55a2e3f03ce0f2362

        SHA512

        54be6fb01f76381ecde1f9cbe7d8d80f23622833bd89e6cfd3506942aa19387acf77c9b96fb6b3375f83158c51c2b6369071a155cb084f2f92cc4ae3286c4f18

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

      • C:\Users\Admin\AppData\Local\Temp\$$a2D28.bat

        Filesize

        722B

        MD5

        496a9277da55ccb30d99d9f8a103aefa

        SHA1

        15aea04d2bc7cadd098a3bea05e18b8029323912

        SHA256

        aded070cafe0cb7f9784737d041f7f4ab77e0bce1ae85891ea1a0800dc2436ad

        SHA512

        987d851bc6cd8d02d79df25fa0615ca4ef851c1b555446023ab1c2a73f4c72b0e0e7ab31581bf596fff1ec954d1c23294265eac99836ae3e77a5e1d2bc10e798

      • C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe.exe

        Filesize

        40KB

        MD5

        1bd1483a7c02d3c1b41b9b1c267ce18a

        SHA1

        5106e8b8e4c292ba6aa53e85755e42b721f4d8c7

        SHA256

        97fe1e3fd8bd54531af1d0ec7a41428a5767ff205e3629deb0e7f6dd1d8e52ce

        SHA512

        e0380278791f8e0c3c67375e2c9b39f9f4485698565f6f91e70b3223b8232ad842e87ad3b7e1e92c31f0e92d27e6b51102576a6ae788957b5b4e3a1fccc3f925

      • C:\Windows\rundl132.exe

        Filesize

        26KB

        MD5

        d1bd53e7079e1416e563b6787c74f3f8

        SHA1

        dfbb7850f591cc74bcbe86418b5ef11522e9e7b0

        SHA256

        b4a3413d2027dc45862a0959c413db5f6b7e932c3c61660c2c3df78804d1db2e

        SHA512

        bacb9edc071341e8ea9dfd8309126f1bc29dbcc9b0cb4a9212b9ad6f6381bc2aae8f9c300eeb3e17e1519d90456e651270e316497daa5ed0f23b69a10fdd129f

      • F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini

        Filesize

        9B

        MD5

        1f206a052c160fd77308863abd810887

        SHA1

        3b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1

        SHA256

        45129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1

        SHA512

        bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5

      • memory/1188-29-0x00000000024F0000-0x00000000024F1000-memory.dmp

        Filesize

        4KB

      • memory/2180-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2180-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2548-96-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2548-44-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2548-90-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2548-38-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2548-579-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2548-1849-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2548-2211-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2548-31-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2548-3309-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2548-18-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB