Overview

overview

7

Static

static

3

e2477f2b37...47.exe

windows7-x64

7

e2477f2b37...47.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2024, 00:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2477f2b3799c3ccd1e3e87293065d4bed87b12b625012e847250ff1b06d1047.exe

  • Size

    474KB

  • MD5

    05288582d88af52d4eb5d770f2b64d88

  • SHA1

    52af2cd53a8ac45f0c5ae8bef68dd8aadc83a25d

  • SHA256

    e2477f2b3799c3ccd1e3e87293065d4bed87b12b625012e847250ff1b06d1047

  • SHA512

    72796ea7f5d6e88870fd7f53746575da52fa9d442af3936952dfd3da30461f57bd44fcc6ab5d78cd5a6b41a004e212e029c33b39599e5beff61bef8cee341cad

  • SSDEEP

    12288:vp7+ZZc0IursYCYQeSnyZJiqlEbXSb9Nt7qOFVHk4dU:x7AMYenGJiKEbXWt+Ok4S

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\e2477f2b3799c3ccd1e3e87293065d4bed87b12b625012e847250ff1b06d1047.exe
        "C:\Users\Admin\AppData\Local\Temp\e2477f2b3799c3ccd1e3e87293065d4bed87b12b625012e847250ff1b06d1047.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2576
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD52A.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2004
          • C:\Users\Admin\AppData\Local\Temp\e2477f2b3799c3ccd1e3e87293065d4bed87b12b625012e847250ff1b06d1047.exe
            "C:\Users\Admin\AppData\Local\Temp\e2477f2b3799c3ccd1e3e87293065d4bed87b12b625012e847250ff1b06d1047.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2920
            • C:\Users\Admin\AppData\Local\Temp\e2477f2b3799c3ccd1e3e87293065d4bed87b12b625012e847250ff1b06d1047.exe
              "C:\Users\Admin\AppData\Local\Temp\e2477f2b3799c3ccd1e3e87293065d4bed87b12b625012e847250ff1b06d1047.exe" -burn.unelevated BurnPipe.{7F899143-CBD2-4C04-BE94-0E3D3935D94B} {9F268300-7FF3-4F0C-BFF9-B8D5E90FF5BE} 2920
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:2784
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1396
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2320
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2888

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        2567deb9251e9121f164c60e26b24bbd

        SHA1

        76e75925e8060fe1f7d24e20ec093454025e63d9

        SHA256

        050dc407d48b7ec34604d7a08498f05aabe3a6f91c401e496623c9a072df5061

        SHA512

        4714c3d4bad62f6711e3621f3980fba3d1febdc3bfc840ad0b94a4fa3b881554e67e5c0ec2bfa8529401774cd766027106f9932a9f8be43859426622cb5e51f9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aD52A.bat
        Filesize

        722B

        MD5

        61d9695d0fe9b056721694bda2f5e497

        SHA1

        cf2cf50d50628cb950969a311404568151768139

        SHA256

        c102fe6161590c3de5ffdb28ea3bf105a8965cc84cf665cba0223a8ec6ff73a9

        SHA512

        ca924b8692bba53035f557da6e3dde8ce8fbb6553c5a2fc949810ca229eab460ac071fa27dd2bbc3443e91cc866a9fdbab3086ea9e755057b16705b06b92e3a9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\e2477f2b3799c3ccd1e3e87293065d4bed87b12b625012e847250ff1b06d1047.exe.exe
        Filesize

        448KB

        MD5

        ebd7ec50a49d4e2c2aec4004de7df4c6

        SHA1

        9a40e931137abb8461a9efa92d7dc5c6cf1aa49a

        SHA256

        3e669d1b13e8d04552ba332ecf354dec855af59d88e1599701fd24dbf236e0f5

        SHA512

        adb12e2f31dbe31f8c052c987046c3c539ae33475b45068a226cfc415bba39cb69590d759e3fb287897945b8b47fb68c5c29d3cd6b90d462692bb004e970a381

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{a55ac379-46b0-461a-95b1-fef5c08443f2}\.ba1\logo.png
        Filesize

        1KB

        MD5

        d6bd210f227442b3362493d046cea233

        SHA1

        ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

        SHA256

        335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

        SHA512

        464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        dcde20a592e2616ce941f70b3eda6666

        SHA1

        5a9d1a32c1ec4e6e9d1cc2f4b83d0b1b347f04c6

        SHA256

        1d7a173e3ca6de63e081002d5b4343e3088a85d68157752953749078e0434220

        SHA512

        872c8350bcc2257e7785d3894edcd2f74cea4e40e7cb8ea6e905b65f4d593fc389a15920bb7a8e99394eb2fec60aa8f486d016c0eff9c079639055d10f2cd080

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\_desktop.ini
        Filesize

        9B

        MD5

        34161716a6ca53479b632148242b943e

        SHA1

        8858557a658c16f5bd03652eff514e066d1600b8

        SHA256

        64655fa660d975efa9315df6cccb6edb310c9990826101015e68b735162a8e93

        SHA512

        a0f19a255929a439a71438d378f185d476428d7eeb6620dc8483ed838cc0ae044c5f2576a22b77856ae741a62081c9d398d154f71360e8f4b20b67af3b6283fd

        Download Submit

      • \Users\Admin\AppData\Local\Temp\{a55ac379-46b0-461a-95b1-fef5c08443f2}\.ba1\wixstdba.dll
        Filesize

        126KB

        MD5

        d7bf29763354eda154aad637017b5483

        SHA1

        dfa7d296bfeecde738ef4708aaabfebec6bc1e48

        SHA256

        7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93

        SHA512

        1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

        Download Submit

      • memory/1216-48-0x0000000002A70000-0x0000000002A71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1396-116-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1396-51-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1396-58-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1396-64-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1396-110-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1396-669-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1396-1893-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1396-2149-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1396-3353-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2576-16-0x0000000000280000-0x00000000002B4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2576-17-0x0000000000280000-0x00000000002B4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2576-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2576-18-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download