Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 18:46

General

  • Target

    360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe

  • Size

    179KB

  • MD5

    90c70ce48bd5cb8fe9b438cdfde863e1

  • SHA1

    89450efff9f839759d71c856d3d88138e863c98b

  • SHA256

    360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb

  • SHA512

    aa8b988debd456000774166d8fbf1a6d23deea43d5be69642df349406e6c77259a45596b98219641589c471bc3c793e48b996242141d0556e60fe688a857a546

  • SSDEEP

    3072:2IhftffjmNthi4jX2XUa7tOXN90sVfEzCVnuDgbACrwJ:3VfjmNtPjULOdu4nlbFr6

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1268
      • C:\Users\Admin\AppData\Local\Temp\360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe
        "C:\Users\Admin\AppData\Local\Temp\360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a58DA.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          PID:1752
          • C:\Users\Admin\AppData\Local\Temp\360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe
            "C:\Users\Admin\AppData\Local\Temp\360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe"
            4⤵
            • Executes dropped EXE
            PID:2484
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3068
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2632
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2636

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

        Filesize

        251KB

        MD5

        d3e8a267133d83c4bd585a13e8135ef1

        SHA1

        53afe847d8eeccacd442d930ac0fc52d18be2f62

        SHA256

        9f5d1aa6322230f568f5ec1dcce9829f666bf330d5e05b177b6612a175fd51c8

        SHA512

        01f8f44d20447a39c2e1a8d850e3738e387a44b725fa342dd351b0abf9b654aa7888b08ec4b347950a0d2cc781ecdd8f332e12467fc5e0265f9e92b27c6b320b

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

      • C:\Users\Admin\AppData\Local\Temp\$$a58DA.bat

        Filesize

        722B

        MD5

        08bd0b3d81b187db8cd359fd1ab32678

        SHA1

        891c8247acc6fa014cb0d1f9e77788728a38f600

        SHA256

        4be78546f64cbb66145568e65418194e51d1d30e1c6a7602710f719c763067b6

        SHA512

        05379e9bbe279779829dfb283e2d5b95aaa1e0eb9d4ef84b8dc6097fa9eb6bee1b285d0528ca484c6c00f24a1b2d1b43720e77be8cfcd9135c83095eed8c4123

      • C:\Windows\Logo1_.exe

        Filesize

        26KB

        MD5

        ea93d9d4c57b19e96eabc55fa2a44c93

        SHA1

        6dfbe57a710e593304d00f7ea80c7275291fff6d

        SHA256

        d123ca9f2bf2eb799707b93ab1695e53ea778feda574774a3adee615b4c53ffb

        SHA512

        9a440dfcaff1018e00eb371dfc7afd9864cc303821594ea09d8feb795f89148b222711ac6d1f6d818c9d9c0a8adb2adcf801700be89a14a6c93d9449a8e4ad4a

      • F:\$RECYCLE.BIN\S-1-5-21-39690363-730359138-1046745555-1000\_desktop.ini

        Filesize

        9B

        MD5

        4f2460b507685f7d7bfe6393f335f1c9

        SHA1

        378d42f114b1515872e58de6662373af31ab8c7b

        SHA256

        47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42

        SHA512

        75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

      • \Users\Admin\AppData\Local\Temp\360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe

        Filesize

        153KB

        MD5

        248e4fcfb8cb29146f73dce2880441f1

        SHA1

        3f83a3e61f56224aa946263d68029e8862d981b2

        SHA256

        42433b2358e677dba21525bfa84d3469afd6cc750821c2d81576c1146a032272

        SHA512

        350e2d24af22a8a2ae9fd744660843b9c2cb79e5fd95a66ed759b0df75cd05c8c12b390f8f8e84ce0dcb539597c5e79302728bac39d064256bdd07eef7757005

      • memory/1268-30-0x0000000002180000-0x0000000002181000-memory.dmp

        Filesize

        4KB

      • memory/2868-12-0x0000000000230000-0x0000000000264000-memory.dmp

        Filesize

        208KB

      • memory/2868-18-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2868-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/3068-32-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/3068-45-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/3068-91-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/3068-97-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/3068-261-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/3068-1874-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/3068-39-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/3068-3334-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/3068-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB