Overview

overview

7

Static

static

3

0ffc2b1804...56.exe

windows7-x64

7

0ffc2b1804...56.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2024 03:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe

  • Size

    905KB

  • MD5

    99a2658988fcbeeb6e5be4dca4716b71

  • SHA1

    6fdb11cfadcebc9e9e9f82e75d8b9ec763fe52ea

  • SHA256

    0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156

  • SHA512

    1927a6a1b192b7e52d30725ef464b48da33d11ce81b82238068084a4302aee77e2572968d923563db5a80e101f093785a2297504b891d18f983cf2056616cd5f

  • SSDEEP

    24576:X7mlPWOOMqdk/iHmR208IOJ0oCj5BMwoV1k9CcPJ:X7KWyqiaGR20S0o6fMwojk9CmJ

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 20 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1188
      • C:\Users\Admin\AppData\Local\Temp\0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
        "C:\Users\Admin\AppData\Local\Temp\0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:816
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDB71.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2484
          • C:\Users\Admin\AppData\Local\Temp\0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
            "C:\Users\Admin\AppData\Local\Temp\0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe"
            4⤵
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            PID:2708
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2412
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2980

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        2c7ba2b6fa0edc36d38b1d39ee9a02e0

        SHA1

        43e253af6663e94a55fb74ed7961ee96c86d8f30

        SHA256

        1ba1570505bf883390e4c12cbbe1b701da3502df9eeb7c7f3e0b677131e22b35

        SHA512

        befc3c4ee223b663018f0fafcbde3cad6217c4fd37b9895273fab993e4484fa43dc271ccc2732d1af98360a800737c55ae6cf16b4d0d721d5ca061073f173f5b

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aDB71.bat
        Filesize

        722B

        MD5

        8d03ab83dd8e674780ed27d630f256c7

        SHA1

        7876cb13babb6d324cbaa7c7d72abbb049bedc2f

        SHA256

        3afcd5c0c899f4a84f6037d74d3f7192d9a85e2ebbc8669711f32ef801ec7ed9

        SHA512

        c0a5faa0d896409a91564408a9cf35479e95d61948b845107a9221740dbb5221a006b6011d0e17dd5f7c303de56a7fef7249402941f1dbda286301dc1f90b260

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe.exe
        Filesize

        879KB

        MD5

        cfca81243713de5d6e6e6653bd01f25e

        SHA1

        2d4e583b452a664a8fad657497799210df2527d3

        SHA256

        38afb7a96e6e05d0fa8aa6c651a080dc9b4e610d72c35ec04a222ab3f5f182cb

        SHA512

        b6f5b78783472f33a63b51618be95007ad1c1d203a7323e75d58dafd672004d7f72c50f9614d2f71250ecd671ce3650227d543eabb838090d0de2d2f7aa84698

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        e8ad4adb6a386853a8f6d32cb50c8044

        SHA1

        a44fcfb9b66ace9ac65d1aef71d4c0034bd72bc9

        SHA256

        63809d018fd7b0f5a9fc15abccd646c3fc8dc5a4a5cfd2117b38a4da4864658e

        SHA512

        f76ba72cebf8a938c4bc54d263dcf7c1e2b165846c504a3b38efdb0328f98c57944ead1ea5f3a397c09142b37b1a0fc6f3ea5f0f909643808be3a89963beda46

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-940600906-3464502421-4240639183-1000\_desktop.ini
        Filesize

        9B

        MD5

        1368e4d784ef82633de86fa6bc6e37f9

        SHA1

        77c7384e886b27647bb4f2fd364e7947e7b6abc6

        SHA256

        57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

        SHA512

        3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

        Download Submit

      • memory/816-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/816-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1188-32-0x0000000002B90000-0x0000000002B91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1636-35-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1636-108-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1636-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1636-3350-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1636-43-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1636-52-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1636-100-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1636-2457-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1636-998-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1636-1888-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2484-28-0x0000000002290000-0x00000000023A4000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2708-29-0x00000000010F0000-0x0000000001204000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2708-30-0x0000000003BF0000-0x0000000003BF2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2708-36-0x00000000010F0000-0x0000000001204000-memory.dmp

        Filesize

        1.1MB

        Download