Overview

overview

7

Static

static

3

b537f28b33...7d.exe

windows7-x64

7

b537f28b33...7d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2024 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b537f28b3380ce78629945048753924f48e12279cc4ac69c63985416a215117d.exe

  • Size

    1.2MB

  • MD5

    d65394674d3e7355ba0039eeef2416f4

  • SHA1

    5767c74a60d85a32b5d2d9beeacf7491e9db73e8

  • SHA256

    b537f28b3380ce78629945048753924f48e12279cc4ac69c63985416a215117d

  • SHA512

    1c28fc6d2b169869cb604e539da08c037ce160f0d4c496b9a8ddaae2d13b95f5dd2c51bc1e797fba92e4eae2f87756dd5556a0abfac18889c64c3dd690fc1e6e

  • SSDEEP

    12288:ip7+lZtPAB2GjMGfNTKdal60yMoFKimTBEAGlyV/vtvOhw5WxZevp:G7IZtP4zgSEAd8fBlYKwnvp

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1136
      • C:\Users\Admin\AppData\Local\Temp\b537f28b3380ce78629945048753924f48e12279cc4ac69c63985416a215117d.exe
        "C:\Users\Admin\AppData\Local\Temp\b537f28b3380ce78629945048753924f48e12279cc4ac69c63985416a215117d.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aFAA.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Users\Admin\AppData\Local\Temp\b537f28b3380ce78629945048753924f48e12279cc4ac69c63985416a215117d.exe
            "C:\Users\Admin\AppData\Local\Temp\b537f28b3380ce78629945048753924f48e12279cc4ac69c63985416a215117d.exe"
            4⤵
            • Executes dropped EXE
            PID:2584
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1088
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2608
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2484

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        88a7dac99617788a3f6e9e10f9ac447d

        SHA1

        c2adfcd7118facbf99366d28337665ce802baa1b

        SHA256

        284e0eb238a30fda222ad9ecd9f3dc0acd6aef33027562e0fa878e17d54a8d0b

        SHA512

        6fb722713b705434816e30bdd3e26a68553bf4ba184ca6d59e47e61dbfc2ae4b72833a573e5a263f33f183e0ad6f2ab3c7e0b6e84cacd49d08d5921f3ef1e156

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aFAA.bat
        Filesize

        721B

        MD5

        0e878135146f5d716d212e9fb21706f6

        SHA1

        9b893e13a25b456787bb9a3aac54943b80d141a9

        SHA256

        8152bdc96651bc573d7c072f4b7e39fe9a55beb8467aaf7e940d3d2df228172d

        SHA512

        d0776c8101be9f63f9e0b4f10aef8d5f46c2a94fe3fa415af2a6cb3c164f86b1644b3be523a48e5e5dc9fc7f04aa6620a457809916be6ddffb660c470458445f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\b537f28b3380ce78629945048753924f48e12279cc4ac69c63985416a215117d.exe.exe
        Filesize

        1.2MB

        MD5

        bc111a2e7428e1bfc86a7edd0ea9ea43

        SHA1

        120801cf6286ec01bee0660b7813f33584385169

        SHA256

        1dd8554472d5511a9494a46bb80f82cad86c71877db81459335a5a97d1d72b05

        SHA512

        5477cf6df611f82e69dfa18feecb92a40d925d589658b8582b66971b2bb204db4c7a1bb68064e516b3a91ed1efc3f86eceec01e27171398db8f1ee216361342f

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        033f832ce1346b7839ab0114b7d46349

        SHA1

        339553f046186e54c91ea18765bfef551701f37b

        SHA256

        771a6d5ca90b397c56e449ed8c2966364db1f6774dca74b74fe0f6eed8db4226

        SHA512

        e6a2ac92e6cac4774e5d3f8438388dacbc8359f60c40a6c76574d87de6da4ae65e06008c1d060f1c50a2804d432981105e71cb89a8ba65c2b1095da9eb951858

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini
        Filesize

        8B

        MD5

        ee8c783242e20d39ed0878caba7b4548

        SHA1

        1556ec263d4ec9c198a44ea2ecc3c4141ef4509b

        SHA256

        83855d38f6399f8cd40257a5d87a328d41c21e0e50ad4c91de11897e03ad4532

        SHA512

        427491089ca5aecb5f365d6adf2e5c9d18a7acf93d471a425364dc504f581f29908df9abfa0fb721e768004737d6c250804dbf27b3c9e4b87532052810318f2a

        Download Submit

      • memory/1088-18-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1088-32-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1088-39-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1088-45-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1088-91-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1088-97-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1088-589-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1088-1874-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1088-2438-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1088-3334-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1136-30-0x00000000024E0000-0x00000000024E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2008-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2008-17-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download