Overview

overview

7

Static

static

3

e66e0be4fd...6e.exe

windows7-x64

7

e66e0be4fd...6e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13/08/2024, 23:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e66e0be4fd602049e595a37b4af5d95728f985108bfb1bfd809ed9037a7e166e.exe

  • Size

    662KB

  • MD5

    86797766d109fafa84ec4d63c01382bd

  • SHA1

    c27f5effe007014051abfc2e7cb879014fa246df

  • SHA256

    e66e0be4fd602049e595a37b4af5d95728f985108bfb1bfd809ed9037a7e166e

  • SHA512

    28cdf5ea913a9caf6ed91a3f1fefcf321b51f56811b0d9d21448e87ee254f06be13de02b606616bb7d8c488ec4f11ee79798a06c87f52b8fa5e9516df1afe0e6

  • SSDEEP

    6144:tCuJpC9LRU0ySj14WH+JPb7uL8zRMnJjNhAp7SO8zRMnJjNhAp7S8FRcdEKFVAh7:SPFlTz

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1220
      • C:\Users\Admin\AppData\Local\Temp\e66e0be4fd602049e595a37b4af5d95728f985108bfb1bfd809ed9037a7e166e.exe
        "C:\Users\Admin\AppData\Local\Temp\e66e0be4fd602049e595a37b4af5d95728f985108bfb1bfd809ed9037a7e166e.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE678.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1528
          • C:\Users\Admin\AppData\Local\Temp\e66e0be4fd602049e595a37b4af5d95728f985108bfb1bfd809ed9037a7e166e.exe
            "C:\Users\Admin\AppData\Local\Temp\e66e0be4fd602049e595a37b4af5d95728f985108bfb1bfd809ed9037a7e166e.exe"
            4⤵
            • Executes dropped EXE
            PID:2788
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3024
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2292
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2896

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            254KB

            MD5

            13ab6f992499a26f664246ba9e6aa42b

            SHA1

            6f66a0e0c2a6b0c4d8ce6cae440390ec57b4122f

            SHA256

            674a8940e5dedbcbd1ef3cb161df118cc5341fad90c8f0932e1da0894e363588

            SHA512

            ee0702bc750ba4af65155435202aa2a2b411df32c4ad9216489dd85b645cb5113b1a9ad08a70af3eb0e94c889dc508caf251a53b9240aa79c66ae116226be886

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            474KB

            MD5

            6eabc463f8025a7e6e65f38cba22f126

            SHA1

            3e430ee5ec01c5509ed750b88d3473e7990dfe95

            SHA256

            cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

            SHA512

            c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aE678.bat
            Filesize

            722B

            MD5

            a7c39a852b08432ffcac926fd190869a

            SHA1

            7a146d3f0f6556f137f7f4dc2392b6997c2348b1

            SHA256

            cd8c9815ab97f979eb1102c7c27c85a79942c872a7f5676a41ffe227e1db7130

            SHA512

            711e56f95da8d3c597142fa0783066e773a4d09b4b91c9b97fb2b990d4295333cfddae2928633261ab4cc243f307434bb25dfab8468a5aff4fbd6b279d6ef543

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\e66e0be4fd602049e595a37b4af5d95728f985108bfb1bfd809ed9037a7e166e.exe.exe
            Filesize

            633KB

            MD5

            2e0d056ad62b6ef87a091003714fd512

            SHA1

            73150bddb5671c36413d9fbc94a668f132a2edc5

            SHA256

            cb83f04591cc1d602e650dd5c12f4470cf21b04328477bd6a52081f37c04bd7c

            SHA512

            b8e920f8b7547aec6f5771e3e6119b01157e5e36a92c67142b0d73ffe0d501d933581e1fc752e5bba9ce819e3897be9c146bebfc0018e91318b0c99d188a2580

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            29KB

            MD5

            c64b5702b462a9345363255cd38a3788

            SHA1

            9b6b6e857e544e61ee783065926c92d48337f0ce

            SHA256

            16c685475090f9e09f57bb8836c127fb02a08926f76779de941fad5d6305f825

            SHA512

            26c0c862561e1521891ee018bec7e128578343b2bc0e3471b87c5ef536e235c7ac9665c3ba84f9e0b9b206d3fae859ebefb1fd373123e0ee31b670e9bbe73836

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\_desktop.ini
            Filesize

            9B

            MD5

            b7beb43f344015405dc34dab081d8434

            SHA1

            f194ae965145f76e4825c67337ef69da96f3954f

            SHA256

            d069f2206a0ca683611b357b347af3abd4c559602b5617591232512e6c0e1b02

            SHA512

            ee85ee5a36f6fe3381a853d2e0a0209e3d83271f29a9f980d1cbfb0309430f26b2658eedc501c0639d0dd6c929b093b8f9bf1e1a3ff1179e581fc07ae635a678

            Download Submit

          • memory/1220-29-0x0000000002480000-0x0000000002481000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-16-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2808-0-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/3024-21-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/3024-44-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/3024-90-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/3024-96-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/3024-870-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/3024-1873-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/3024-38-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/3024-2764-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/3024-3333-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/3024-31-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download