Overview

overview

7

Static

static

3

9703d82279...25.exe

windows7-x64

7

9703d82279...25.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    21/07/2024, 03:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9703d822795fb2fa91fb599556b20dc2e67f39e49b60ff9fcd4b1c40e0c27425.exe

  • Size

    4.7MB

  • MD5

    b507b4fae4e829a594551c9aa9558c76

  • SHA1

    5bb73ec8187673fa4d5a5f1fe58a28f05a43b1c5

  • SHA256

    9703d822795fb2fa91fb599556b20dc2e67f39e49b60ff9fcd4b1c40e0c27425

  • SHA512

    b83bc9f25fdc7709d8e019a52ee48b1ca9b378e474ebcdd56270eda8c5a178b10976d8d883bcc6e0c3dfca7e261d99efdd1805d9a7e05980c39862ea9e614015

  • SSDEEP

    98304:TTZHwkh8lA5qICtNhQ8k7N1k4AYOfVkmUWqK7ZGFq86ZyiyEysbNLVExp3Zkoe8:TdHZ+YItNHk7NSDY0+WNZGoPZPZuxpJB

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\9703d822795fb2fa91fb599556b20dc2e67f39e49b60ff9fcd4b1c40e0c27425.exe
        "C:\Users\Admin\AppData\Local\Temp\9703d822795fb2fa91fb599556b20dc2e67f39e49b60ff9fcd4b1c40e0c27425.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA8EC.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:3060
          • C:\Users\Admin\AppData\Local\Temp\9703d822795fb2fa91fb599556b20dc2e67f39e49b60ff9fcd4b1c40e0c27425.exe
            "C:\Users\Admin\AppData\Local\Temp\9703d822795fb2fa91fb599556b20dc2e67f39e49b60ff9fcd4b1c40e0c27425.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2812
            • C:\Users\Admin\AppData\Local\Temp\360hb_tmp\4.0.324.0\360huabaosetup.exe
              "C:\Users\Admin\AppData\Local\Temp\360hb_tmp\4.0.324.0\360huabaosetup.exe" --user /exename:9703d822795fb2fa91fb599556b20dc2e67f39e49b60ff9fcd4b1c40e0c27425.exe
              5⤵
              • Executes dropped EXE
              • Writes to the Master Boot Record (MBR)
              PID:2252
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2328
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2708

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
              Filesize

              251KB

              MD5

              6d6b52efb2a0ffa93fa75e30b8a6cdb8

              SHA1

              3d95a6beccd3b0c5099dc6f5a4d8b7835b2adc6f

              SHA256

              570c1aeaa331c0f06af39ea01ce7b4a1b572d1746d233bc2fd356928792074da

              SHA512

              7799102bf0a1785d53bcb4bb994e54efc4dc3d7ee16fd864d9c210d0c86771f49d9664ed0f00fa7aa7d08ad0cb7f3a62b9693ec4496418dfc6c4a44e68595fcf

              Download Submit

            • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
              Filesize

              471KB

              MD5

              4cfdb20b04aa239d6f9e83084d5d0a77

              SHA1

              f22863e04cc1fd4435f785993ede165bd8245ac6

              SHA256

              30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

              SHA512

              35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$aA8EC.bat
              Filesize

              722B

              MD5

              07c96bd4ad67e6a780f05bd0b5b82d68

              SHA1

              7fd794583c89cc040ca5986934973cb383b8216c

              SHA256

              d7eae4a6ebdea53fd14689b45193a0e69460fa400f8077b154ea92b988f40dec

              SHA512

              5de8358dcdde55c748a35218c92e8db6891ee7f42c131bd5e70bb20c609641941c3452e8dc8fef68038e5958987bd005c81f904abb952fe23e431499c62e04f4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\9703d822795fb2fa91fb599556b20dc2e67f39e49b60ff9fcd4b1c40e0c27425.exe.exe
              Filesize

              4.7MB

              MD5

              3a83e079cf1e79fa09248c3ffb742bc7

              SHA1

              bc0dd5ba8b8f61ff34a20f753566cc2b814d70cd

              SHA256

              23796fef04d754bd8845d131f91aca21a1cbef4efc300ac904c5c875b6853e28

              SHA512

              e8e47c2c94ec1dd46ce4a22952560bac8eb1e92dbcc4357b5af0ac51bce82883aba1d966407db71393e5c04b064e80b7ebd5aa68c47a0223725951e0ff8fc11c

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              26KB

              MD5

              18391870ca65afbac8d71ec5a641da96

              SHA1

              df073ab849561d5ca7bc7fb15c6ebb4f9f5ee12a

              SHA256

              9ea91d24b89b9786f3a79c1c9aee232172afec552ef9aaad9130ea5087c560f9

              SHA512

              2bd9591ec49de6f5ad5b68ea4a7de2dba5e2dd3426ff71224a193b1db7578af85cdfc1a97cf1d99374928c7eb2df226b9bdd0f19234c295d59dc08c8055bc6bc

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-1385883288-3042840365-2734249351-1000\_desktop.ini
              Filesize

              9B

              MD5

              2efce5174bcf8d378a924333f75e26ad

              SHA1

              4fe6e1d729b55d42eb9d74aca11b36a94402de14

              SHA256

              04ccb9bec2864153c72852867d8e65dca07eca4e5edcfb4beb62cb364dcd91fa

              SHA512

              24684969632fb0562a3a7a5fec91d869d627730d8e9d83a2b17e326d7047e3fbff205eec207914e42ecd50fef68a212c19f3599ded271c00e66acc22f1f04c16

              Download Submit

            • \Users\Admin\AppData\Local\Temp\360hb_tmp\4.0.324.0\360huabaosetup.exe
              Filesize

              1.6MB

              MD5

              c412765db03e59091588551621021193

              SHA1

              e6d1b444057735b482d6b3d226d7c2b0ef3c7d63

              SHA256

              8a7cd25d858feb316e527130863a7f121b2c29f85086537f4d1e380f0334a4d4

              SHA512

              97278289b8f1e72fb1f68039e6b3e6736938d5883725bd2fb70af68d237173b9c861e576c40c2cb46868fe3ea305634212635d460a5d02cd0f9bdccd79195b8d

              Download Submit

            • memory/1216-54-0x0000000002D80000-0x0000000002D81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1688-15-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1688-17-0x00000000002A0000-0x00000000002D4000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1688-18-0x00000000002A0000-0x00000000002D4000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1688-0-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2328-57-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2328-70-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2328-116-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2328-122-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2328-696-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2328-1899-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2328-2295-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2328-64-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2328-3359-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2328-19-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download