Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13/06/2024, 04:36

General

  • Target

    a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe

  • Size

    275KB

  • MD5

    80a879a0679ed4ec53fde4ff1b0cb978

  • SHA1

    bbb4713485c283a9c7b2c565e69105a1075fcebe

  • SHA256

    a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90

  • SHA512

    eb5eab0e960e2d801cca2ae48ccb79f3ae256482e16873e33c64c637a41b5a33a4e98acc0d1b245404924628c4a72c0f1696a329f3589870cf01de19f52617fa

  • SSDEEP

    6144:0VfjmNSO94ruMQfK+4Z33Hs2t0EyL+ta+d:27+SiM1t9ERKE+d

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1348
      • C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe
        "C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1540
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7AE.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2196
          • C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe
            "C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2600
            • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
              "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              PID:2832
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2208
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1876
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2664

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

        Filesize

        251KB

        MD5

        8c76d8209d2e719930c9ba1c3aec96a4

        SHA1

        688649466318e5e496c8256fd3168039b3b330aa

        SHA256

        ac040dc7f1ccb3b1a1a0ba7f57c5f1787081c64b56d3af79fdfc24aa69759a9f

        SHA512

        19744836971e4202ee281738f0b895e0b96150642499067e1b51a7434865be790f6a1c65f2163cdbd108adbc7f44ca812c6647eb1952a9925b152b13007ab269

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

        Filesize

        471KB

        MD5

        28f6479e5c0b7a32e8ae773b9221a22a

        SHA1

        882e24734f4d42c4e0b95bb695c921ee66ae2042

        SHA256

        5ec41e0b29c00dd288859df2f583b0e771c11c01d8fd519fe2bd8921b3bed4f3

        SHA512

        d27c5c01bfe526652af0083bc17c4a3212fc00d594344b6a1a39999248623fba1ae14c79ec849c3567d1bf952cdf7e1e4fd5b22fde938227d89338529fb43685

      • C:\Users\Admin\AppData\Local\Temp\$$a7AE.bat

        Filesize

        721B

        MD5

        6d47c60a07364dfdcf05ba7dc9b1c21d

        SHA1

        d7959fa249615843a926c05e436136cf01310da0

        SHA256

        014d8485936d7c364c1554786f0e1dc478fc69445f5d874b193e56e2ba0a6549

        SHA512

        3c33e6ff222d41b0094604b91224eefe501ae3e706b9670f1c56c7ba388d7a8bdfa1794d3dae234ea2fa0a77c4b81f7d5254776226e18856c1498c6552e6f843

      • C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe.exe

        Filesize

        248KB

        MD5

        47a6c51c0904f930c3ea2acd11843598

        SHA1

        66dbd0a1bef915d2efbf405b5da32a0eed93a62c

        SHA256

        4cb64e345f2ccf5bb6b3493dc55b11048ef249baed3645b09033758c652734af

        SHA512

        455d26fdaf4396106096c6e1698bf58864ffbff1b073adfafb2c8f66dbfcca502ce452011064bc4ccf38341b848cbd7b02a3471331356ffb8a117ec0bc1a428e

      • C:\Users\Admin\AppData\Local\Temp\nsy8F7.tmp\nsProcess.dll

        Filesize

        4KB

        MD5

        f0438a894f3a7e01a4aae8d1b5dd0289

        SHA1

        b058e3fcfb7b550041da16bf10d8837024c38bf6

        SHA256

        30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

        SHA512

        f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

      • C:\Windows\Logo1_.exe

        Filesize

        26KB

        MD5

        803416611d3ff9892e3e5c729d18a4cf

        SHA1

        bc99a7db9810cc6c08c4c1eee041d666396a00a8

        SHA256

        44dd551c7c131158282194d127971c71fa4e16b60b526f3886427bdd1b52eae9

        SHA512

        02ad74b45ef2338c97df02d421951b43730531db1c9cc88e85ab294ebf94f7cd0f2991278a4e6e9c4af3dac0f7952e7f2ea09ed14a3ce6b16990371c3d5ec083

      • F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

        Filesize

        9B

        MD5

        4f2460b507685f7d7bfe6393f335f1c9

        SHA1

        378d42f114b1515872e58de6662373af31ab8c7b

        SHA256

        47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42

        SHA512

        75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

      • \Users\Admin\AppData\Local\Temp\nsy8F7.tmp\StdUtils.dll

        Filesize

        100KB

        MD5

        c6a6e03f77c313b267498515488c5740

        SHA1

        3d49fc2784b9450962ed6b82b46e9c3c957d7c15

        SHA256

        b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

        SHA512

        9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

      • \Users\Admin\AppData\Local\Temp\nsy8F7.tmp\System.dll

        Filesize

        12KB

        MD5

        0d7ad4f45dc6f5aa87f606d0331c6901

        SHA1

        48df0911f0484cbe2a8cdd5362140b63c41ee457

        SHA256

        3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

        SHA512

        c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

      • \Users\Admin\AppData\Local\Temp\nsy8F7.tmp\WinShell.dll

        Filesize

        3KB

        MD5

        1cc7c37b7e0c8cd8bf04b6cc283e1e56

        SHA1

        0b9519763be6625bd5abce175dcc59c96d100d4c

        SHA256

        9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

        SHA512

        7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

      • memory/1348-41-0x0000000002580000-0x0000000002581000-memory.dmp

        Filesize

        4KB

      • memory/1540-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1540-17-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2208-135-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2208-83-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2208-129-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2208-77-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2208-930-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2208-1888-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2208-18-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2208-2943-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2208-3348-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2208-70-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB