Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 17:36

General

  • Target

    c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe

  • Size

    1.2MB

  • MD5

    e64216cb5d54d2e626b33052517dcc2a

  • SHA1

    a68915744162197ffd42cdc373944b6b4cb739aa

  • SHA256

    c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34

  • SHA512

    4730d03a44d9ebd6e45a7604cbb3e9464883ffe0171e425311e2990fcc2081c003d5be86d9edab46548a0f38839de360ae6e024e9f35b7d28f23c97c56149c49

  • SSDEEP

    24576:x7gaWLpaiGhP1x+96UBz1ViIhTj4OHAeTkuppyLELJt/8Vh2zcxZ7W9c1SoNN0y7:x7gajiI1k9/H9SOHAmkVLk8H2GpXSyx

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1344
      • C:\Users\Admin\AppData\Local\Temp\c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe
        "C:\Users\Admin\AppData\Local\Temp\c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6AE3.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2124
          • C:\Users\Admin\AppData\Local\Temp\c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe
            "C:\Users\Admin\AppData\Local\Temp\c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            PID:2824
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2612
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2760
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2480

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

        Filesize

        251KB

        MD5

        cafcc9d7c72ff567e107a878c793cf0e

        SHA1

        07d0589ee9faf37b77b47695f316d317baf81246

        SHA256

        e850f4e1eff89030de3b4e1c529770ec3d102547699f5687699cc10042bca715

        SHA512

        fe341d07fbe64548e5050c3294392848eaf28d975c7bf2ce41d57511d2bb45da05f6f53ae4c4871163f2000c64a721475a77daa5458f4c7de35d637654c7dd1b

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

        Filesize

        471KB

        MD5

        c6c8fde27f649c91ddaab8cb9ca344a6

        SHA1

        5e4865aec432a18107182f47edda176e8c566152

        SHA256

        32c3fed53bfc1d890e9bd1d771fdc7e2c81480e03f1425bce07b4045a192d100

        SHA512

        a8df7d1e852d871d7f16bae10c4ff049359583da88cc85a039f0298525839040d5363ce5ef4cbdb92a12a25785f73df83cf0df07752b78e6e6444f32160a2155

      • C:\Users\Admin\AppData\Local\Temp\$$a6AE3.bat

        Filesize

        722B

        MD5

        5ea9b0d8eb3edd7a6780662d58269ad0

        SHA1

        0e52df5d0867bb8d25935e4fc9e3af4c490f0d56

        SHA256

        e68720262562c21dcc2625c6732d0f926d64d8d27b16371b8a6a8d56baf92534

        SHA512

        574771fb0e19bbf1d205efb781ff5c0488caeea9c39ccf84e5ba0170ace6e21ef1f9d1ab36f3c3a54b59a3454f6a3d80b7bdaecd92d378beb441568ac8c87eb9

      • C:\Users\Admin\AppData\Local\Temp\c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe.exe

        Filesize

        1.1MB

        MD5

        fabe184f6721e640474e1497c69ffc98

        SHA1

        2f23a6389470db5d0dd2095d64939657d8d3ea9d

        SHA256

        759aa04d5b03ebeee13ba01df554e8c962ca339c74f56627c8bed6984bb7ef80

        SHA512

        2924fd60f5dd636f643b68d402b65c2bfab5536122aa688ebba5ae142c7d04ce8b1c8e078f54db8adadce9d5c6fa74c0794604ecc16a4c5489f9ca70a6d9e1c4

      • C:\Windows\Logo1_.exe

        Filesize

        26KB

        MD5

        8ba3b10246e04d4b57287e690f77057b

        SHA1

        356eb7a62df1fdfb78711f5bb7d1347df5bbe797

        SHA256

        1c8c64333fcd85341531abb72c7673109683f519ae0e7fc228e51d9a082708cc

        SHA512

        eb79e2861d0ebc95ca0b9db177770ebaf5ea528f98efb018a7bc57c576cff11f4a71bc047c047b3ee04314b821b8481f59bfb36d3449838ee2579d51f0e9bcf5

      • F:\$RECYCLE.BIN\S-1-5-21-39690363-730359138-1046745555-1000\_desktop.ini

        Filesize

        9B

        MD5

        4f2460b507685f7d7bfe6393f335f1c9

        SHA1

        378d42f114b1515872e58de6662373af31ab8c7b

        SHA256

        47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42

        SHA512

        75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

      • memory/1344-29-0x00000000026B0000-0x00000000026B1000-memory.dmp

        Filesize

        4KB

      • memory/2204-17-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2204-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2204-12-0x0000000000220000-0x0000000000254000-memory.dmp

        Filesize

        208KB

      • memory/2612-32-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2612-39-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2612-45-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2612-91-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2612-97-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2612-186-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2612-1874-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2612-3334-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB