Overview

overview

7

Static

static

3

f9fc4af8b4...08.exe

windows7-x64

7

f9fc4af8b4...08.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    12/06/2024, 01:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9fc4af8b4534a889d9fbc0b0778608989ad1b893e4e4f681192abecf989c508.exe

  • Size

    4.2MB

  • MD5

    731590cbb312b2c4668ef30c5457f715

  • SHA1

    33a850eb0bcc769800b21abc9337dc8fd751eaa0

  • SHA256

    f9fc4af8b4534a889d9fbc0b0778608989ad1b893e4e4f681192abecf989c508

  • SHA512

    975942a6774cd0d17b9a6d87a410602af6e36b754341ff7fb027ddf0d78d93f9a3e94e4a7140244177d20d275db5567af2fd32dbd514d35c2c164d7f99f1091c

  • SSDEEP

    98304:mXccdTtesHtbZZA2vU6dr8R20o8t7sz3rridb7:gLTQsHtbZZAYMk0o8t0nip

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1260
      • C:\Users\Admin\AppData\Local\Temp\f9fc4af8b4534a889d9fbc0b0778608989ad1b893e4e4f681192abecf989c508.exe
        "C:\Users\Admin\AppData\Local\Temp\f9fc4af8b4534a889d9fbc0b0778608989ad1b893e4e4f681192abecf989c508.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2304
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aEB0.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2616
          • C:\Users\Admin\AppData\Local\Temp\f9fc4af8b4534a889d9fbc0b0778608989ad1b893e4e4f681192abecf989c508.exe
            "C:\Users\Admin\AppData\Local\Temp\f9fc4af8b4534a889d9fbc0b0778608989ad1b893e4e4f681192abecf989c508.exe"
            4⤵
            • Executes dropped EXE
            PID:2580
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1624
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1424
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2636

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        a9a5a1eadf0a9e9776b55f748a8f4fa3

        SHA1

        607aac41d7f1e8929fd00ed950006e0ad96bc94f

        SHA256

        77fc16e36538deba2c56edeabe62ae11e0c5d380564006e35b03d8cf6871918f

        SHA512

        5ddc878180efa2b6b56f156a2a67df701365ba69af4d244185e31ede4c2edde7b88da6916571dcba47a4cb95814bf7d8f2570610adeac034852a9eeb9a0fcf0d

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        99ea9b604a7a734d3087fa6159684c42

        SHA1

        709fa1068ad4d560fe03e05b68056f1b0bedbfc8

        SHA256

        3f733f9e6fec7c4165ca8ba41eb23f604a248babe794c4ad2c6c3ce8032aab1c

        SHA512

        7af8008c7e187f925c62efc97e1891a7a38d089302dba39fbde137fb895e0592847ed0982c824c2075be8e6b95b6ce165ecb848ab85adf53779ebef613410fbb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aEB0.bat
        Filesize

        721B

        MD5

        93a115d169a3fec5f5c6608a8ba7c1ba

        SHA1

        495259c62d2944aee8de98bc81bf95495bd60ee5

        SHA256

        2d36e98b20b693cac2a95f156fd428b36b22625438f14307556279fd1a0c1122

        SHA512

        a8c65d499d9df73c48f790f2ffb29f69b06bd600da04f64ab264f1bd3dd78839febd55704ce51a2fcf76714dbb8df705bfed2cb9c61e753aebc206cadb0afaf0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\f9fc4af8b4534a889d9fbc0b0778608989ad1b893e4e4f681192abecf989c508.exe.exe
        Filesize

        4.2MB

        MD5

        03aef2d88d5aca195398e360b93a0b70

        SHA1

        33228c965bc06b2514c1cb46b2188f9eb782ec3a

        SHA256

        0bf257ca2f4408b72761f5831832044c979b91c944cd6b53be416a877f67203d

        SHA512

        2b5de472e8bb1c84df524eec15871c640fb76272f6b576bad97f425f131c25fee5db5ad8de9bef712bf94ac9705df159ed977fcfefd4d93af3d2dc3a7345ba20

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        a089ef349fc8aa3836ddf36f1160ebae

        SHA1

        067d9aaf763a725f8fe9152371f4123f0cccee47

        SHA256

        e5aaa9d610db8e9b3d888582be218889b084117bbb61fb667987357c2cc9f32b

        SHA512

        6355417cfd84bb137d4a9c7352598e35600ec76569d4ffd0054c9b4f43d25703149ae2111c2a70b3b714d9def26ceb96808be30b621b61469acf8c3f2f5ae99f

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini
        Filesize

        9B

        MD5

        1f206a052c160fd77308863abd810887

        SHA1

        3b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1

        SHA256

        45129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1

        SHA512

        bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5

        Download Submit

      • memory/1260-31-0x00000000025C0000-0x00000000025C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-40-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1624-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1624-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1624-46-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1624-92-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1624-98-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1624-874-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1624-1851-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1624-2971-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1624-3311-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2304-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2304-16-0x00000000003A0000-0x00000000003D4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2304-17-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download