Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 18:39

General

  • Target

    38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe

  • Size

    3.5MB

  • MD5

    20a163251d455bb56f0e34dbe85f31e5

  • SHA1

    762ce8247d2cea1d049c219d50328d683e6977f6

  • SHA256

    38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3

  • SHA512

    239c94f35770bd9d517e1012673b564b75fd9d2f894313339dfbdccc5c7fa59222259b39c206270f980dc7e5e1b45db893d866327ad35d3609cc62fbc042ae1f

  • SSDEEP

    49152:N7Nzho0LuviX3KGXgr4rLh5i4NSjFBhm5Tksb59AR4JGt+RxBT/b+/Eyfh/:R97KGXCMi1m5Ysb+8pTs

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1268
      • C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe
        "C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1200
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5D9A.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          PID:2864
          • C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe
            "C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe"
            4⤵
            • Executes dropped EXE
            PID:2748
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1752
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2012

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

        Filesize

        251KB

        MD5

        49a62820d1efb4519dd944dcd70fc628

        SHA1

        69dbe72b903c993214fccd5f46033dce498dd6da

        SHA256

        f44d841a27e818cb49961212d433665decc5343cde83bc1ac30d6814e88cf478

        SHA512

        6c1b7a75b1256d747ef45aa848366b90b400685ef9658bd6c1b9de92a010633caca4c575d4973cd4bb90dfdfc28bb557516935c5609e586630bd2e12589f2d9d

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

      • C:\Users\Admin\AppData\Local\Temp\$$a5D9A.bat

        Filesize

        722B

        MD5

        7b48269d50c2ced00d27ab89fb0721dd

        SHA1

        f0c96fd3fda6d91ca7aaf3b6e343d4d4c84a51b0

        SHA256

        610781b120933b36dce46a11be8011b0963fdf2154c242d6e9ebafb819a083d2

        SHA512

        6fc85459dbd0ac554bc41af6d1a84fddda90bd71f5296913bd87a939d0b91d8b7a87073aad501f1fdbe980df624316be1e1da81bc4031901e2f15e6b276f4d19

      • C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe.exe

        Filesize

        3.5MB

        MD5

        d9f3e7d65208d33072ca8508f3e1a1ed

        SHA1

        900a44cb8c3e67983fa048d63a3e826c987ea8d6

        SHA256

        449882e178a951857ab9e242fd4b4fdb974d3c8a4c7c36a4e037c46b20f73d6d

        SHA512

        a992e0d4ab3f26205720042a24ad6886eec3c05e27637ede1ad9630dc8d5a1aa6c46b7e298946fa2035f4b14442693e9bbda53c51fd9a5701cd0a408f194a117

      • C:\Windows\Logo1_.exe

        Filesize

        26KB

        MD5

        869d76e7fc9dfbd34eb7ef916d28097f

        SHA1

        46a09541d845c9252cf299b3baa7d987ce65e91e

        SHA256

        89ef653086b94ea01573ce95d15a76aa140fd9a8a34e9ded6d642a53541674d3

        SHA512

        0a6e0273375df97c9258ff48b21b022b8dfd3d0831db0518f21abd38f54c5d724d950f6fbb43cd492330121b614f488c3c90aa679e9d0257c0570b59443df254

      • F:\$RECYCLE.BIN\S-1-5-21-39690363-730359138-1046745555-1000\_desktop.ini

        Filesize

        9B

        MD5

        4f2460b507685f7d7bfe6393f335f1c9

        SHA1

        378d42f114b1515872e58de6662373af31ab8c7b

        SHA256

        47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42

        SHA512

        75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

      • memory/1200-11-0x00000000001B0000-0x00000000001E4000-memory.dmp

        Filesize

        208KB

      • memory/1200-18-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1200-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1268-30-0x0000000002180000-0x0000000002181000-memory.dmp

        Filesize

        4KB

      • memory/1752-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1752-46-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1752-92-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1752-98-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1752-188-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1752-1875-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1752-40-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1752-3335-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1752-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB