Overview

overview

7

Static

static

3

5920f60827...1a.exe

windows7-x64

7

5920f60827...1a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2024 18:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5920f60827bb171b4f0d2fa89c071292afc99b600b8deebf2b2726142ff4b01a.exe

  • Size

    661KB

  • MD5

    41a763d0942b18bcbe2f0543d755c4b8

  • SHA1

    b7f8ffc6f09eb5e9e4d77817c3751ddfd4926a30

  • SHA256

    5920f60827bb171b4f0d2fa89c071292afc99b600b8deebf2b2726142ff4b01a

  • SHA512

    88b1be2c046a632fad824bbeaa084967c8843d480e074add45121bf64b3c5c36eeda3e7fe93d681a4afbd5bb201f933fe578f5126447f45b3023b2754825ac23

  • SSDEEP

    12288:Pp7+unMwHskY7gjcjhVIEhqgM7bWvcsi6aVKrIysU40vy3W/ceKSHMsiFyY6XN2:R7BMysZgjS1hqgSC/izGfHjymk4HM5yJ

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1236
      • C:\Users\Admin\AppData\Local\Temp\5920f60827bb171b4f0d2fa89c071292afc99b600b8deebf2b2726142ff4b01a.exe
        "C:\Users\Admin\AppData\Local\Temp\5920f60827bb171b4f0d2fa89c071292afc99b600b8deebf2b2726142ff4b01a.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2928
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6EAB.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Users\Admin\AppData\Local\Temp\5920f60827bb171b4f0d2fa89c071292afc99b600b8deebf2b2726142ff4b01a.exe
            "C:\Users\Admin\AppData\Local\Temp\5920f60827bb171b4f0d2fa89c071292afc99b600b8deebf2b2726142ff4b01a.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2872
            • C:\Windows\Temp\{062D9815-A7AD-4BF3-90DA-436BFB590DBD}\.cr\5920f60827bb171b4f0d2fa89c071292afc99b600b8deebf2b2726142ff4b01a.exe
              "C:\Windows\Temp\{062D9815-A7AD-4BF3-90DA-436BFB590DBD}\.cr\5920f60827bb171b4f0d2fa89c071292afc99b600b8deebf2b2726142ff4b01a.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\5920f60827bb171b4f0d2fa89c071292afc99b600b8deebf2b2726142ff4b01a.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:2220
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1932
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2772
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2680

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        c8815a0def060805cd68b27911b50324

        SHA1

        7679abbdb549b6f2e55019d01f45601d60177c42

        SHA256

        75f96336b6f31fb604f361a304076c9636a01d3dfe806e36736f875d71248eb2

        SHA512

        292c67e8ad8d04f552f8d7a77bb8639db5b71e608138164ed8770c80b620ec442bafd53d1a11b9bbc22abd45ed9505ddbe4618c499bed2fe53c2bf5db67aafac

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a6EAB.bat
        Filesize

        722B

        MD5

        4e5bb38472ed152f1038089b113cb11a

        SHA1

        89a6fee43c27e09f9c135529c0bc51163f59e219

        SHA256

        9ca74d51bca9a6385a21b5fcc56826da3ce47094ad254e90a3f7d59a8db99d0b

        SHA512

        b8cbcabfbe749acc6e46615b97aa7d92ad23bc80866f20673d786623eb4b7447be539b4649314d162d364e899a4185d5922158715b1bfd73c349a49b917081d8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\5920f60827bb171b4f0d2fa89c071292afc99b600b8deebf2b2726142ff4b01a.exe.exe
        Filesize

        635KB

        MD5

        848da6b57cb8acc151a8d64d15ba383d

        SHA1

        8f4d4a1afa9fd985c67642213b3e7ccf415591da

        SHA256

        5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12

        SHA512

        ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        aaffa63d279b442bf6447d8e27477be7

        SHA1

        ce128e98423d5e0dd1b35c0e8e8eb854d5599a0f

        SHA256

        acca897ac28f597801df59bd1343785f7bea8c1013821c44d2f1878ee5ef1488

        SHA512

        b8521588339c507b10c473aaa8aca314598962588da0014b00f413f9874a425534eb20260ed39484728bd4466fb3d7f516b6cfccc56d51e026f5365030b81c26

        Download Submit

      • C:\Windows\Temp\{1BFC3AB5-FB16-4EA9-817D-385F4E706839}\.ba\logo.png
        Filesize

        1KB

        MD5

        d6bd210f227442b3362493d046cea233

        SHA1

        ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

        SHA256

        335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

        SHA512

        464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-940600906-3464502421-4240639183-1000\_desktop.ini
        Filesize

        9B

        MD5

        1368e4d784ef82633de86fa6bc6e37f9

        SHA1

        77c7384e886b27647bb4f2fd364e7947e7b6abc6

        SHA256

        57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

        SHA512

        3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

        Download Submit

      • \Windows\Temp\{1BFC3AB5-FB16-4EA9-817D-385F4E706839}\.ba\wixstdba.dll
        Filesize

        191KB

        MD5

        eab9caf4277829abdf6223ec1efa0edd

        SHA1

        74862ecf349a9bedd32699f2a7a4e00b4727543d

        SHA256

        a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

        SHA512

        45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

        Download Submit

      • memory/1236-78-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1932-146-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1932-81-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1932-88-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1932-94-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1932-140-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1932-543-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1932-1923-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1932-3383-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2928-12-0x00000000001B0000-0x00000000001E4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2928-18-0x00000000001B0000-0x00000000001E4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2928-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2928-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download