Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 18:36

General

  • Target

    fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe

  • Size

    417KB

  • MD5

    99eceb281f12da13cda991a03c298be8

  • SHA1

    31d93c4b71d8960313a18cf1b024ea7ef8f7cbe9

  • SHA256

    fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516

  • SHA512

    ab61b735272d58e1613f6d6ea41364026458cf4cd9499fb6a064e2c77ceb452fefec70d9481781bb8cdfcaaa26b698b19d5cf01866c4d433bd8511ad6e8dc8dd

  • SSDEEP

    6144:guJ45eaB+K7A1LBDejpRTxLn1gUkIJsTk0l2mI:S57B9A1dDURTxLyUkIJok0lPI

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe
        "C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2436
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1ED6.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2488
          • C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe
            "C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe"
            4⤵
            • Executes dropped EXE
            PID:2736
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2068
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2748
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2756

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

        Filesize

        254KB

        MD5

        432aa5b6bcd692caa88869c8bdc43681

        SHA1

        aeb7c43781d43851f7f127b4e5adc46f743d1b14

        SHA256

        86cfebefaf5ede042543c8a48550b01fe7ef3b6b7812000c3888319ae9dc3d2f

        SHA512

        4f160f737ac1f8a879bbcfffc37d499ed1e26cd21f7798cc8cc430b2d0c3fa83f6f30d1c5ddc6010523c32f9a81e8756a5c723b880e61f63135f4d42b79c9058

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

        Filesize

        474KB

        MD5

        6f0ec1ca208b0521f58bcd694897df06

        SHA1

        808a16d524301513af8ee772936f6bdcf41623a6

        SHA256

        53b5d4205b0f2ae4ba0051244fffcaf0cfecbf78dfc448e4d2e68e53e15f15bf

        SHA512

        d8318484059a9988dae4b8a53d1ccec1a54ed825e1937d70fccc9bd26222a0c4b23718f368e6d193e6dd7b9d999e5e8d5f23717ea160468b6287004a722503f2

      • C:\Users\Admin\AppData\Local\Temp\$$a1ED6.bat

        Filesize

        722B

        MD5

        496f1eaff8540238b19125aaf606e3a8

        SHA1

        06b5298b4b896fec3519f4d7841bf30e366f415b

        SHA256

        0868fa58a1af9f4ef3ba6e622ea3ca2fe06945b69cae2b208af58e79a2c881e4

        SHA512

        d214de9c59364f41bfd0aa000cf299e49ecd7701a2223425803987b12dc87f885d6f34555089d58094b0b6c8a280f4fa4874c589c47f77d69fbe9876769158c6

      • C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe.exe

        Filesize

        388KB

        MD5

        766721f110f52057319fb87a2f1d4225

        SHA1

        6b2d5b226224567f726fe5c641f4a55e575a1781

        SHA256

        4ed35a2d5af16c722524f9f012dcfa7281744b9d223fc9e03040f9066ee2c66f

        SHA512

        49d9dc340f7d8fb9396c50cccb948215a6b427075beb7ffe007ecadaa5ada99778b0dfdb9a44ce1da13c3c3703b23536a81d9fcb2dbb2c753bc3989d19441fb9

      • C:\Windows\Logo1_.exe

        Filesize

        29KB

        MD5

        dccda60757967a88ad8a9a89f813748b

        SHA1

        30342bac716279dc71135ca51c669c25940a8684

        SHA256

        73bb214769970609319af0d08f3d0938a9cad1d1fc864b23527c9474cca5b2f2

        SHA512

        b022e816473dd0c16723393e1381ef9e99298fc6e85724eb451271c62a1f1e77541543fe02cb5e9cc7d758a3793103930288c36e7becfb7ff2716893ee228816

      • F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini

        Filesize

        9B

        MD5

        4f2460b507685f7d7bfe6393f335f1c9

        SHA1

        378d42f114b1515872e58de6662373af31ab8c7b

        SHA256

        47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42

        SHA512

        75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

      • memory/1196-30-0x00000000025B0000-0x00000000025B1000-memory.dmp

        Filesize

        4KB

      • memory/2068-18-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2068-32-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2068-39-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2068-45-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2068-91-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2068-97-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2068-534-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2068-1874-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2068-2084-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2068-3334-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2436-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2436-16-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB