Overview

overview

7

Static

static

3

9c7b722a28...de.exe

windows7-x64

7

9c7b722a28...de.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    23/06/2024, 22:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9c7b722a281de6e99ade154d8974162a48b26d2d352bbdd9142edf4c66cdddde.exe

  • Size

    362KB

  • MD5

    1132b2d4f66397ca61d61164bacd152d

  • SHA1

    1aee2b8c21508242465c60a0321ba59483553655

  • SHA256

    9c7b722a281de6e99ade154d8974162a48b26d2d352bbdd9142edf4c66cdddde

  • SHA512

    098dc55e4f299d4ec3c19dc7ec1ba48a974c74f6456ad8dd3bcf34b072dda6c7a10b77346babefb74c4dc026866bd2dcf24c43904ffe36df1edaf88d60bf2003

  • SSDEEP

    6144:zFp9zU66bkWmchVySqkvAH3qo0wWJC6G/SMT4FWqC:JpRU66b5zhVymA/XSRh

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\9c7b722a281de6e99ade154d8974162a48b26d2d352bbdd9142edf4c66cdddde.exe
        "C:\Users\Admin\AppData\Local\Temp\9c7b722a281de6e99ade154d8974162a48b26d2d352bbdd9142edf4c66cdddde.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3534.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2928
          • C:\Users\Admin\AppData\Local\Temp\9c7b722a281de6e99ade154d8974162a48b26d2d352bbdd9142edf4c66cdddde.exe
            "C:\Users\Admin\AppData\Local\Temp\9c7b722a281de6e99ade154d8974162a48b26d2d352bbdd9142edf4c66cdddde.exe"
            4⤵
            • Executes dropped EXE
            PID:2852
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2560
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2672
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2592

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        252KB

        MD5

        acc2d7dd51ab514e43e27a541a436296

        SHA1

        7cfd57778198ad2e5a6e6e84938e642031ed2faf

        SHA256

        c668d5247ab9bed3348c6e4cc9b31e19fe905a6578f31511feafca853b7ce734

        SHA512

        7b4fd6a8d4291c6b33a2fe454587e562d6a665bfd1f1eaf88f431ed279883a7970366e83bd498a500193766d4fdaadf7b8544cdaa6896ec315ee44b4836b3499

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        472KB

        MD5

        88eb1bca8c399bc3f46e99cdde2f047e

        SHA1

        55fafbceb011e1af2edced978686a90971bd95f2

        SHA256

        42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

        SHA512

        149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a3534.bat
        Filesize

        722B

        MD5

        c847cf32991a3d06e2c49d7b49934139

        SHA1

        a96b2a0e4253da217430d56b505b30c253750dfc

        SHA256

        f59fff9129a257a521dc4879497e5cbf104c037da0e1184966a4e99f25e6ea0f

        SHA512

        3146cf1a6a4ddd237a3af3742c9eb98402f4751a4ab82a2ef7fcabb43f10d00287d5e464c96d0c2d5ff1e1910c57997e01bb36b32d6be26f172cd9fef02574cb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\9c7b722a281de6e99ade154d8974162a48b26d2d352bbdd9142edf4c66cdddde.exe.exe
        Filesize

        335KB

        MD5

        40ac62c087648ccc2c58dae066d34c98

        SHA1

        0e87efb6ddfe59e534ea9e829cad35be8563e5f7

        SHA256

        482c4c1562490e164d5f17990253373691aa5eab55a81c7f890fe9583a9ea916

        SHA512

        0c1ff13ff88409d54fee2ceb07fe65135ce2a9aa6f8da51ac0158abb2cfbb3a898ef26f476931986f1367622f21a7c0b0e742d0f4de8be6e215596b0d88c518f

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        27KB

        MD5

        b00d9a2252bbc499e7eccd5a9ff85cea

        SHA1

        89b8f1981d516ec5e65356440628fa080c806d4c

        SHA256

        870465d81aafc8bcc7e40492302b8302465d6e42505176d6d2da53e9a9df9a80

        SHA512

        a85e80bfe9e651447496c725a409986ee7d3ba9de0c39b904fd37144874992d5d9d4f3cb3d544903e353d96632513b40c65af4c6709dede0bc792e50e8c84445

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini
        Filesize

        9B

        MD5

        874f697d7c26bf1b6cc8a502b53db25d

        SHA1

        fee5430622f05615e68fd229e48f2846796c0795

        SHA256

        d9d05459bc11d078b148543de9eb14643747fbf996790dcf04d2725361251798

        SHA512

        51a722a09c79ef1d6c4a08b3a696b1ca7e34f0e1b0798edb7ebc6c9f596740d9d95c6f4228b9d5012b2472bab03b7998b751a4cbfb6c259229dd853c7fcebb2e

        Download Submit

      • memory/1204-29-0x0000000002540000-0x0000000002541000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2560-20-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2560-31-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2560-38-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2560-44-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2560-90-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2560-96-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2560-848-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2560-1873-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2560-2746-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2560-3333-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2920-0-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2920-16-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download