Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12/06/2024, 23:45

General

  • Target

    f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe

  • Size

    713KB

  • MD5

    5b52622eed2c2a2ea6d9dc212d28a839

  • SHA1

    2e3291c80690f460f6dfefe0ed1d01d60b3e9221

  • SHA256

    f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c

  • SHA512

    0c62e222119b9b89a2590aa74159ca485450ac03d0da8098459156e0059a5467daaf5670d7878343e06b4b70c8b4638e57e39586940ff14aaf5f703b32632ecc

  • SSDEEP

    12288:CfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:+LOS2opPIXV

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe
      "C:\Users\Admin\AppData\Local\Temp\f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a193B.bat
        3⤵
        • Deletes itself
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2216
        • C:\Users\Admin\AppData\Local\Temp\f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe
          "C:\Users\Admin\AppData\Local\Temp\f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe"
          4⤵
          • Executes dropped EXE
          PID:2764
      • C:\Windows\Logo1_.exe
        C:\Windows\Logo1_.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1260
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            5⤵
              PID:2288

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

      Filesize

      254KB

      MD5

      48b536408ac1a66263ed8da4ec21add8

      SHA1

      62d20d73d6035d5ce1e1bf1068ff3bf52d609c3b

      SHA256

      fbc2cf414606174f3555d76fe647557b72ac47e6bda0864fd8c5dad738df1733

      SHA512

      44f09df70cb4cafa63f88899b0b0fa07bf8fcd5d0106a9a945453de7570c37985039c4a7267708815b6c707539e9a4472d329f010f6a692c5c1fcaab6c41f1c0

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

      Filesize

      474KB

      MD5

      de4228cb7a5a7f082477f6a504b822a7

      SHA1

      dfd84f0b6f4977bfda43b1827aa747a9a5a8a38b

      SHA256

      8c5089a062734aa1a66e70700d4f33f2f54157c4bb3ed4d6ce1a852de8b6f90b

      SHA512

      a3b64b10a22dedebfa48e7705e148d50df480fa9bb0669bc06951ab0ff5f97657f72dc8b71db610499ee38ecae9ae494265841a737806bed7c061d0b634913c8

    • C:\Users\Admin\AppData\Local\Temp\$$a193B.bat

      Filesize

      722B

      MD5

      c8cd0e5e2f5389cf5a8a846b6ae415a3

      SHA1

      c377707c872aa3031c45fcfe63d8cf6abfaaa2f8

      SHA256

      74599c42e17ee7e0197d76ab857ab43b26412c1910be408d81e05f76913ccd38

      SHA512

      df192c9bfd290c13f5c8121bf124b3fc7b8305667f5edfb20b43b95567c211357a84496d025a7c73feb137518c46ef93742bd9ae29c40e944b1020541a64b0e9

    • C:\Users\Admin\AppData\Local\Temp\f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe.exe

      Filesize

      684KB

      MD5

      50f289df0c19484e970849aac4e6f977

      SHA1

      3dc77c8830836ab844975eb002149b66da2e10be

      SHA256

      b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

      SHA512

      877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

    • C:\Windows\Logo1_.exe

      Filesize

      29KB

      MD5

      9fcfb6b631b5a62c2af6f852de61dc71

      SHA1

      02149b5ae9d7c72cc2df500a9cf25ef4234614e1

      SHA256

      470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a

      SHA512

      69076244e4c53b09a9d3595e6b53201013ce006da986542f8375223640e5ce66d000c9f02c71d3856ea0f3f788c139fce670ae26c571bd71d801bd67e15cb66a

    • F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini

      Filesize

      9B

      MD5

      1f206a052c160fd77308863abd810887

      SHA1

      3b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1

      SHA256

      45129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1

      SHA512

      bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5

    • memory/1188-33-0x0000000002570000-0x0000000002571000-memory.dmp

      Filesize

      4KB

    • memory/1260-643-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1260-100-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1260-35-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1260-3337-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1260-42-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1260-48-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1260-94-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1260-20-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1260-2028-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1260-1877-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2580-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2580-17-0x0000000000220000-0x0000000000256000-memory.dmp

      Filesize

      216KB

    • memory/2580-16-0x0000000000220000-0x0000000000256000-memory.dmp

      Filesize

      216KB

    • memory/2580-18-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB