Overview

overview

7

Static

static

3

3a70df5701...06.exe

windows7-x64

7

3a70df5701...06.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 23:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a70df57018badadda4deee047963884597ad22461d6ba526eb86d5c52d47706.exe

  • Size

    3.0MB

  • MD5

    2df06080847c440edb9dca506b20a330

  • SHA1

    9ef81f44bd467a33a14fb14cb47c6ff954765147

  • SHA256

    3a70df57018badadda4deee047963884597ad22461d6ba526eb86d5c52d47706

  • SHA512

    01eee6ed888321ad16a26f7ec910e13d1cb3836f1cd890394a5c970f44378eb3f9fa71c07198d0a8bdc7ce074f9b427c7884beeff2f9a6a31b065b7135b2ad91

  • SSDEEP

    49152:K76IGwdA0g6CupcLp0pHwjOLaUIeJSBTbJeKPTSuN0oqhedGW96oNeD:1IGH6CupcLp0pHnFSNbJ3TSW0oaW9nNe

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1164
      • C:\Users\Admin\AppData\Local\Temp\3a70df57018badadda4deee047963884597ad22461d6ba526eb86d5c52d47706.exe
        "C:\Users\Admin\AppData\Local\Temp\3a70df57018badadda4deee047963884597ad22461d6ba526eb86d5c52d47706.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2136
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE7C0.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Users\Admin\AppData\Local\Temp\3a70df57018badadda4deee047963884597ad22461d6ba526eb86d5c52d47706.exe
            "C:\Users\Admin\AppData\Local\Temp\3a70df57018badadda4deee047963884597ad22461d6ba526eb86d5c52d47706.exe"
            4⤵
            • Executes dropped EXE
            PID:2272
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2720
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2808
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2824

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        32c46999249ee76939ecc4baf2722d33

        SHA1

        bb4a4aaae82f0eaf66d797ef1b313df9e38974f9

        SHA256

        9d2c513f7443ba6ce40ca030ed0cb370165c67f28f22bc25553a54f57dbb2fea

        SHA512

        8a2e8c2cdeca63261497b82f3c58a92767618860f05ffdd75e932dd2d4731ffef2d622b48d7939910edf00d31aa9909b92a5304e897d5d0150c57ad1f0306b48

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aE7C0.bat
        Filesize

        722B

        MD5

        9da99b0f97bd7ff8a0ea1df898ad321f

        SHA1

        d973b733f196bf24cee6aa78148127543a459357

        SHA256

        6fbf68e72fcd1eec0fdfe34aa1f7ee377934495f52050b896c85c235fc385323

        SHA512

        2ba1b589bbde4623ac2110d2571e6b18e608d07af64e3a1b067ff59a46ceb2874e474c0cec366432bc2b2ed049343e23757fcc16ca5660fab66746515750246d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3a70df57018badadda4deee047963884597ad22461d6ba526eb86d5c52d47706.exe.exe
        Filesize

        3.0MB

        MD5

        d9d63c77ed65a20c102e7a1a0df2b581

        SHA1

        8483bfba9e325a2c3e555bae3155e5d0e9ddcc9f

        SHA256

        c96c258af32735e1f37f64b38a5f00e6618a574e48525be1b18c3eb60f79b17d

        SHA512

        5fec2c4775bcb3615f16cd418512c873c8938d2235fd4ea40788f40327a2c8844c8c13e46aca43d85a7ada67aee299f430b49654779b44b7e0c8ead03ff7e4f3

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        66b52612270a69c70fcb753c71db38af

        SHA1

        56c10089c0cc6d1638ec3a9818411040c0684cf0

        SHA256

        bdcf0b120cbba26c70240bec100cf50964765bdbba76565d3d1ecc788ffded64

        SHA512

        9be0b6f733a1e03626ad978b057405bd894e9f8179f5292e2ae62b1e2ee337e501233f58f75bf5643e12fdb68e6e6d2a3e146ba6641a448c089cd2e153d729e8

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\_desktop.ini
        Filesize

        9B

        MD5

        5e286801abdc6ca5d3091665a72ecd7c

        SHA1

        87e0b4601ab0b05784a1059a45d72d807b0e2cbb

        SHA256

        131ccc46b756e5373dc2f2d37625bfb980a48f2f2287585da364166cf2e709b5

        SHA512

        51506d6adb68cca9e21fcddfe9672b91352cdb4f3c5b8c2da40219c73d2e7724776cd8701ff68449720c0aa398fe4f7665dabae2bd5147d42c5b6882c99f0bf1

        Download Submit

      • memory/1164-29-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2136-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2136-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2720-18-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2720-44-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2720-90-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2720-96-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2720-1042-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2720-1873-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2720-38-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2720-3192-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2720-3333-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2720-31-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download