Overview

overview

7

Static

static

3

dd5d795b7f...63.exe

windows7-x64

7

dd5d795b7f...63.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2024 23:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd5d795b7f5ece7b0a0d3a2b958d78cdbdbc3da70d2643345f4f58a9d24d6a63.exe

  • Size

    712KB

  • MD5

    94249897568dde226227b7bec700fa59

  • SHA1

    a52aea55107b7a9bd85ab119890c5eaeef4005f4

  • SHA256

    dd5d795b7f5ece7b0a0d3a2b958d78cdbdbc3da70d2643345f4f58a9d24d6a63

  • SHA512

    307bbdaad7674f0e08de7f39d08b0ecaf13a22d3b17d727590ef36dfcca73f5adb844e1f94a8eb658d3db9b9183aba79c96ca1d110d2ae98b57fd9de3839017a

  • SSDEEP

    12288:V7+p9y+V6/ZOkBmt6bvMwBaOA+jlqDS33KudL:V7Gh6RMwO+jN3audL

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3448
      • C:\Users\Admin\AppData\Local\Temp\dd5d795b7f5ece7b0a0d3a2b958d78cdbdbc3da70d2643345f4f58a9d24d6a63.exe
        "C:\Users\Admin\AppData\Local\Temp\dd5d795b7f5ece7b0a0d3a2b958d78cdbdbc3da70d2643345f4f58a9d24d6a63.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2388
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFB29.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1588
          • C:\Users\Admin\AppData\Local\Temp\dd5d795b7f5ece7b0a0d3a2b958d78cdbdbc3da70d2643345f4f58a9d24d6a63.exe
            "C:\Users\Admin\AppData\Local\Temp\dd5d795b7f5ece7b0a0d3a2b958d78cdbdbc3da70d2643345f4f58a9d24d6a63.exe"
            4⤵
            • Executes dropped EXE
            PID:3484
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3400
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2440
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:868

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      244KB

      MD5

      499b41c835407698fc879f87e88b606d

      SHA1

      dcf8563ad9791a5b1bea29721ab4cd88a3dd7347

      SHA256

      0fa3c4c53f19ea113547acd2fc1b60a9f9b30d8c5ce7993592bba0d9e784aff8

      SHA512

      6366a4879766e9e0c2829ab32e67cb4a6707688221ba3e15943a79e37edf27940ee610609bca0fcc0446513fef2c909e0a248ed946c37bfdbe425265f6e82427

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      570KB

      MD5

      658e8e9dbfeab5fa7c7ad6a97df10d5c

      SHA1

      f72a53af02525035a51d17eb51b658ff6ac8155a

      SHA256

      b37ea9d22d7d50f9eabeca6a99428cac2e0388ee89218442f719a377f3e5b072

      SHA512

      0821a12e384053256344e0da159eb59b1b2e04bc1dc0412d13aa4ee220eee80694a61be62dccc95e72387ce5e05f0e85ecbd8912dca0e77b63741aa93b789551

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      636KB

      MD5

      2500f702e2b9632127c14e4eaae5d424

      SHA1

      8726fef12958265214eeb58001c995629834b13a

      SHA256

      82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

      SHA512

      f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aFB29.bat
      Filesize

      722B

      MD5

      6a741211bd00cccc8430313509b85b3e

      SHA1

      a2f28ae2cbe1a07d143b2037ab65ed4e3b8ed3db

      SHA256

      f55cfdf9a1b080e97b9183770931f577465d891b3f442f822d1b71d02f4a63ce

      SHA512

      0b9863a56a9ea5c4d4cdd9381ec62068c9496a3015acfd2d2697b8a9c00b1940e5f58695db5413799ed81bd0b9debff5944c399c24965414c0070d0696c1b56e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dd5d795b7f5ece7b0a0d3a2b958d78cdbdbc3da70d2643345f4f58a9d24d6a63.exe.exe
      Filesize

      685KB

      MD5

      1d162efa99a81ec4c68ebe7a20ab07ca

      SHA1

      71fdd7f76287aac30f0c12a6559ecfffad7579e6

      SHA256

      2eb26253b3647c9cf2d0b6f80bc4ec11f2723cce287d2afa5f7fb4c40cce4b5b

      SHA512

      2c82843878f54cdd50ce9a8777a9e16c960756e521be5083f2474ba1d6f20d2f5d5765f07587aa1e88348cf5a2e114d91ba4d2bf9eb634c3e758d17b94f0897d

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      26KB

      MD5

      75eb37924e68b2595bc0312918d4a63b

      SHA1

      10ab938fc66cd08bb0c46829ab22b17019af7197

      SHA256

      7b1ff2f554870ae049b64929791e7c45191610b709cfbaa5a095694d5252dd69

      SHA512

      4527d987450b54872ce0dfe9258ae8cb72b37faab7ab331638c7ca5a27f7bce78cc912548ad0376bcd3daf305d91ee7ac8f4ce373cbea297e43b4659303771a6

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2392887640-1187051047-2909758433-1000\_desktop.ini
      Filesize

      8B

      MD5

      fcbaf0a2c3988ef775359f94d545ab42

      SHA1

      174ccd98ff87b8e6f46eebc493f379beafeb3b08

      SHA256

      895aaa8dac57f2bb76ddc8c2681e0480bf57dbf3f62cda3840cb448b8615612f

      SHA512

      7c81b6445708b1c482599bfb808e90462d6111e885691dd947d9cdf95ba028d580b20027575814a310a81f310261b649792b65153ce43063da063b5005561d20

      Download Submit

    • memory/2388-10-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2388-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3400-27-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3400-37-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3400-33-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3400-1233-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3400-20-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3400-4791-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3400-8-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3400-5236-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download