Overview

overview

7

Static

static

3

beceaf28c1...a2.exe

windows7-x64

7

beceaf28c1...a2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    12/08/2024, 04:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    beceaf28c131a5d48bfebaae513f3ee27da1a4f36a2cb892af6298487a2b90a2.exe

  • Size

    268KB

  • MD5

    fe0f4ec241ed6f7a9eeec567ebbbe3f2

  • SHA1

    ce34ba7ac037f1376ca4223046e8d87af4b81df3

  • SHA256

    beceaf28c131a5d48bfebaae513f3ee27da1a4f36a2cb892af6298487a2b90a2

  • SHA512

    498991cbc2053d8ee8a6c61812f0d8919c80782390e439ff4f184d4003aa046a499636a1df9d00c20f48034765f2cf7294520bd287c5179ecfbcfacb57746339

  • SSDEEP

    6144:8VfjmNt1RAuOqXHNe/r3MVutniQ26fkdXJ:+7+tAWXA/rOciQ26f6

Score
7/10
discovery

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\beceaf28c131a5d48bfebaae513f3ee27da1a4f36a2cb892af6298487a2b90a2.exe
        "C:\Users\Admin\AppData\Local\Temp\beceaf28c131a5d48bfebaae513f3ee27da1a4f36a2cb892af6298487a2b90a2.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aAA91.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1504
          • C:\Users\Admin\AppData\Local\Temp\beceaf28c131a5d48bfebaae513f3ee27da1a4f36a2cb892af6298487a2b90a2.exe
            "C:\Users\Admin\AppData\Local\Temp\beceaf28c131a5d48bfebaae513f3ee27da1a4f36a2cb892af6298487a2b90a2.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2864
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2292
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2728
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2780

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      251KB

      MD5

      bb4b53663c070d58fd57960c5b404d14

      SHA1

      19cfc5274af434ab3fadb4b1781dffd7ac3864c8

      SHA256

      89a35ce014bdbb94532c4a739d57d807b420d2f8b1c86791ae9c4b83bd79077a

      SHA512

      aa63e653fc4a3ba6370af071c6c979743a487b50111fee1759cf4f7edc57d47e803a1723d626a0012bcf47b8932de7acb37418fe82b9986eec9e7d86dc8a9a00

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      471KB

      MD5

      4cfdb20b04aa239d6f9e83084d5d0a77

      SHA1

      f22863e04cc1fd4435f785993ede165bd8245ac6

      SHA256

      30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

      SHA512

      35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aAA91.bat
      Filesize

      722B

      MD5

      b1d502f4528840aa7929e5becb7e233f

      SHA1

      4b8c33bb090803b5cfd49d66859376baad325682

      SHA256

      dce37bd22918619db064e253045ad53c6aea80e0a23afdcc2ada905e3a079e7b

      SHA512

      55921d137838741d56b7143024623c473b29a82968353dddffd4b817dd4042ceda859d29170e089efdd40ee07218a3b4abc4432e587ab09dcbdbd70967e0b1fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\beceaf28c131a5d48bfebaae513f3ee27da1a4f36a2cb892af6298487a2b90a2.exe.exe
      Filesize

      241KB

      MD5

      34fc461f27a58b897e38adcb5dd25f49

      SHA1

      952d24b184c7440fdae44c868b25b0c13afc4a71

      SHA256

      01488ede48d1cc463b768563c91e2043e1622a3edb2e99ef1e9c217a299602fa

      SHA512

      d1ae4a3e923637ba97b11ddc3d39f2b93eabfa284d64bae7858b706379c7af7523b7c34aed9af9e858d12e7b039d44b69234666ec337cfb844b6a9a34bc21a60

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      26KB

      MD5

      dfeb8bc493ae29fdfd9463961f22ffa1

      SHA1

      1665dc95dfb3977f5883eb18832cce97fdc82562

      SHA256

      01e5d82665723f3fd606ec28df1235712effad7ff0c509f08cb88fdf4c322359

      SHA512

      36cbe8b3820898910ebc32b67653311326ed7a2a828760d22219262328a835e8167a8ce2bafb853f9cff235668b28794845d32764240efb90cdd72f20a553cab

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\_desktop.ini
      Filesize

      9B

      MD5

      1d7eff79e14bea77e992f25202a6decc

      SHA1

      2481953494e9f17a5d9c8186bac1e89c460da06b

      SHA256

      0bc3f26881fb44793cd3a989e616ce2b45848152d57eb4a38fd5f06df63f0a9a

      SHA512

      e9cffe2ce1cc689a1a0c9bee4da9e0ab90625931729257893780b13eb9060ee26bf373c87c0ae33e3fcdc3e8614d415ac00fe57fd7f1fb4908212cc145c8d9ad

      Download Submit

    • \Users\Admin\AppData\Local\Temp\hrlAB4D.tmp
      Filesize

      172KB

      MD5

      4f407b29d53e9eb54e22d096fce82aa7

      SHA1

      a4ee25b066cac19ff679dd491f5791652bb71185

      SHA256

      cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

      SHA512

      325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

      Download Submit

    • memory/1212-38-0x0000000002E30000-0x0000000002E31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1504-27-0x0000000000130000-0x0000000000143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2292-44-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2292-52-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2292-41-0x0000000002BC0000-0x0000000002C34000-memory.dmp

      Filesize

      464KB

      Download

    • memory/2292-3358-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2292-2498-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2292-1896-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2292-477-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2292-18-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2292-60-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2292-108-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2292-111-0x0000000002BC0000-0x0000000002C34000-memory.dmp

      Filesize

      464KB

      Download

    • memory/2292-116-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2540-16-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2540-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2864-30-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2864-43-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2864-42-0x0000000001CC0000-0x0000000001D34000-memory.dmp

      Filesize

      464KB

      Download

    • memory/2864-34-0x0000000001CC0000-0x0000000001D34000-memory.dmp

      Filesize

      464KB

      Download