Overview

overview

7

Static

static

3

e7ddcaba29...2f.exe

windows7-x64

7

e7ddcaba29...2f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2024, 00:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7ddcaba29ccc15ba902b55b9c3b99bf7a0d3998a8011befde16eecd93ea2c2f.exe

  • Size

    260KB

  • MD5

    b283549b798cc302bfa1338f179b71c2

  • SHA1

    2dbb4f91f757ad4dcb3e981dde994b3bc2c51474

  • SHA256

    e7ddcaba29ccc15ba902b55b9c3b99bf7a0d3998a8011befde16eecd93ea2c2f

  • SHA512

    dd2ead3d9937f5fbf32a1c3a623b763a71fac989169cca0e1c35900e01ad102f7904e121b8d6893db94887673620665f945a9bf25521ca2f7075b0467b8fa7ee

  • SSDEEP

    3072:TFMlkuJVFuLRkgUA1nQZwFGVO4Mqg+WDY:hMiuJXuLRp1nQ4QLd

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\e7ddcaba29ccc15ba902b55b9c3b99bf7a0d3998a8011befde16eecd93ea2c2f.exe
        "C:\Users\Admin\AppData\Local\Temp\e7ddcaba29ccc15ba902b55b9c3b99bf7a0d3998a8011befde16eecd93ea2c2f.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a17B5.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Users\Admin\AppData\Local\Temp\e7ddcaba29ccc15ba902b55b9c3b99bf7a0d3998a8011befde16eecd93ea2c2f.exe
            "C:\Users\Admin\AppData\Local\Temp\e7ddcaba29ccc15ba902b55b9c3b99bf7a0d3998a8011befde16eecd93ea2c2f.exe"
            4⤵
            • Executes dropped EXE
            PID:2744
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2952
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2608
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1204

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        75ef99aabc408c8781ac094c88291c98

        SHA1

        a6bf4058f9d481d3d04a5ae59c860f486ee93df2

        SHA256

        3b677985b63d155d14f3d577c455f93fcfe19eb0b9be3032912c65342ccbb10c

        SHA512

        12ed5a63f7a081315aa9a011018e6dadc53efdf4d52bf937eff9536de4d90c7469bbc656ff0437c3a95a4177279cdbab0650bc06411110817f8c5176a532c19a

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        2fbf828db79fe4b78ebad2a33057feb7

        SHA1

        21a39ee5075e75dd06f7c09ab627ce8b3d5ed7f2

        SHA256

        1b6903313bd593a97612fadd153b771dd2c8ed2a83fd9d89e40b98ee51595210

        SHA512

        d1737db977c9a87073045556a3dfbb21173084fc43ed43b2e884c2619a4c1a568905b1f22dec8f9062768f9cc199094bfb90af3cfab6e0e5f5442157bbe71d69

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a17B5.bat
        Filesize

        722B

        MD5

        7da5b937032602bac1866bb0bdebbb91

        SHA1

        38ac07469a30eb59b09171b39edcf1953d8bc4f1

        SHA256

        bbe701d6a1a5d02654fd9286df455fe67153bc931b2d249eecaecedc95459fd3

        SHA512

        0e7673c40039075355820c9f96962dccb28055deebe39659c799c04937e537bb8780fbf1841abde4e63d1a7cac3cf00c07612eef0bc5a1551fff637588edf7b2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\e7ddcaba29ccc15ba902b55b9c3b99bf7a0d3998a8011befde16eecd93ea2c2f.exe.exe
        Filesize

        231KB

        MD5

        6f581a41167d2d484fcba20e6fc3c39a

        SHA1

        d48de48d24101b9baaa24f674066577e38e6b75c

        SHA256

        3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

        SHA512

        e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        c574da3c8af83a4886cf1d8a0c71c79f

        SHA1

        5dacedb189b23d7d6119d132405840b9917f12f1

        SHA256

        9d8e1eafc09fe11ec8acb7e0545f9d4a419982a085bd141236a7090fa03dcfd8

        SHA512

        3284d03dfe3840141da3d92c0a11427b3880f0405c3d4a69d87067067bcc710073e1da9585d2efc438b5f5057be94f4b0832b9891735ac1bbded1c6ac7d0d13c

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\_desktop.ini
        Filesize

        9B

        MD5

        34161716a6ca53479b632148242b943e

        SHA1

        8858557a658c16f5bd03652eff514e066d1600b8

        SHA256

        64655fa660d975efa9315df6cccb6edb310c9990826101015e68b735162a8e93

        SHA512

        a0f19a255929a439a71438d378f185d476428d7eeb6620dc8483ed838cc0ae044c5f2576a22b77856ae741a62081c9d398d154f71360e8f4b20b67af3b6283fd

        Download Submit

      • memory/1208-29-0x0000000002B50000-0x0000000002B51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2720-16-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2720-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2952-97-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2952-45-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2952-91-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2952-39-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2952-677-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2952-1874-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2952-18-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2952-2480-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2952-3334-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2952-32-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download