Overview

overview

7

Static

static

3

c94adfa850...c4.exe

windows7-x64

7

c94adfa850...c4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    03-08-2024 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c94adfa8508665885124be863f7624ca72466dba0970af97ca27c95127b3d8c4.exe

  • Size

    3.8MB

  • MD5

    0d4c92518a70d0fc214fd61ee80a651a

  • SHA1

    7a308e41d6c3ea0e3f6a42fb0f2362f11fa9655e

  • SHA256

    c94adfa8508665885124be863f7624ca72466dba0970af97ca27c95127b3d8c4

  • SHA512

    c71b98c53377f83f20ad16ac20107d7b91aba11cd45ac5d0b084d8a104caf0152f6842e5d3208c11691f947a607a748de9b306bd94b4fe2e712197654d6e8363

  • SSDEEP

    49152:+7uLUvuexrXt4siTfS1kfCm3k5ai5bd8sX87mwzOHTa3upnNoNuOPnzHPxvLPGuN:dLURtxyim3FQbd8O6u9NdQpFom

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1392
      • C:\Users\Admin\AppData\Local\Temp\c94adfa8508665885124be863f7624ca72466dba0970af97ca27c95127b3d8c4.exe
        "C:\Users\Admin\AppData\Local\Temp\c94adfa8508665885124be863f7624ca72466dba0970af97ca27c95127b3d8c4.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3032
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3360.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2244
          • C:\Users\Admin\AppData\Local\Temp\c94adfa8508665885124be863f7624ca72466dba0970af97ca27c95127b3d8c4.exe
            "C:\Users\Admin\AppData\Local\Temp\c94adfa8508665885124be863f7624ca72466dba0970af97ca27c95127b3d8c4.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2988
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2916
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2756
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2880
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:524

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        9b70af1ce9221986b2abbfad8a3fc0c0

        SHA1

        3eccc923a532afa2bd30bfac2d0e785f232b8197

        SHA256

        a5f4c52c8c8a58eafbae19514988a87b06ddbb6a3aa8538fbce8cd4f549994b7

        SHA512

        43b71fc5ebd24f73035b2995650b7b99cfb65f34cb57af7873dea29737228559bcf10748d194bc079e17e1a9e0b0f5d88f24329d094f837cd47689678db1ab4e

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a3360.bat
        Filesize

        722B

        MD5

        308dc6789cd94e7e570b56de4ee53869

        SHA1

        3cc2d3fc811ec32597bade405be8a86e2078ff36

        SHA256

        48a78dd7c9bfebb98d7e2ae7ee43c87eb0313fdbf89632705a0cb1ccb6771f22

        SHA512

        e2f8dd7a0f59c0c28c7889d0c883086caf0452a8420211087a889dda5436448f31b9dbeeb0dee094c68a6f6c3c4d378318765444e28408916aaa9f5663aeea39

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\c94adfa8508665885124be863f7624ca72466dba0970af97ca27c95127b3d8c4.exe.exe
        Filesize

        3.8MB

        MD5

        6582dd6bd38bfe986f09aea5b5b54ffc

        SHA1

        d0368d7f1d1760f93858e970b4970e8eb399ef16

        SHA256

        6e8261deb2c550a541b3391e0514a6dc1f00ca14594b8451ee1cbb14175c641a

        SHA512

        003b51d233217056dbfeb2ef5f3e7445f95cd5c17237405dadac35c4168c56917adc88d8f110d41b5c4017bb41da30b9963680c3c2d9f4c20d1683bd5f29a9c8

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        1de9441d703e634b101ddc6b68af5764

        SHA1

        0b78f86ac25ebbf70932df8e2b0a1637d68b4629

        SHA256

        a00b09d9599e8d7fb2a6c8aab5634aa8337e2ce0cb0077087eb8aa930a426fc6

        SHA512

        04e67d3d7409e890b48ae7d0c9d7cbc2b6b8a96a90e9d0f972e43b0c8300d1635bd6808dc8958b3ee13a745418262f7cc7cd3360a02a322e113b425757126959

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2257386474-3982792636-3902186748-1000\_desktop.ini
        Filesize

        8B

        MD5

        0d72cd0b0aa46eeff2619cd2c58bf101

        SHA1

        5176d485e9a54ec517fd12c2aa7efcb1855286f2

        SHA256

        48db671b8d392706b0784a38cfdbfc3e9090457cbb04901a9eed5e8248a76bb7

        SHA512

        730ed8a629022a50a151646467a82228962c006a4fa23eadce4f586ef36df5fd311001c5ec502ddc4fe2e52b4f2a8da86e40950aefbcd51f8fd3dea8ebc304ba

        Download Submit

      • memory/1392-32-0x0000000002A30000-0x0000000002A31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2916-101-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2916-36-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2916-43-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2916-49-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2916-95-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2916-1215-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2916-1878-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2916-3281-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2916-3338-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2916-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3032-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3032-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download