Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17-08-2024 06:21

General

  • Target

    3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe

  • Size

    2.8MB

  • MD5

    23e682f4cd8bb3e77a15ea3a9438d56e

  • SHA1

    2b90e1c8f926753eca86897a746f1b62b757ef7f

  • SHA256

    3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88

  • SHA512

    607e922421f0dad25ad58e416c08f987091d5a7484ff20df7d5144cc4bd80d09bb445b1340dd2e6571d7a76e10aef064eb818e0e9f2f47aa719407d66fa67a9d

  • SSDEEP

    49152:F7lbybaNvP+Y7PezVcKvgvIUXVD49aPW0YDEPcx+Goq3to:DbybaFiiKvgwW5m/Ul

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1244
      • C:\Users\Admin\AppData\Local\Temp\3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe
        "C:\Users\Admin\AppData\Local\Temp\3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD3A.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2932
          • C:\Users\Admin\AppData\Local\Temp\3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe
            "C:\Users\Admin\AppData\Local\Temp\3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe"
            4⤵
            • Executes dropped EXE
            • Writes to the Master Boot Record (MBR)
            • System Location Discovery: System Language Discovery
            PID:2632
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2680
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

      Filesize

      251KB

      MD5

      b7477cfdb499f53e1e71ecdb04dd5c08

      SHA1

      244ede942d0d6523466f9ed60b2ef59b06084094

      SHA256

      181a9e3b7da400428ba584f1b4b4fe76f6142d3c1cceb93d07be55b8f0f08927

      SHA512

      ecaf1bc01a7dc37d2a44be30dc48ff3de55921914174940f2bbd43758c41b524b823858f33a27d147707476c786dbdc256a50856c51fe46bba43dc9a4b647799

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

      Filesize

      471KB

      MD5

      4cfdb20b04aa239d6f9e83084d5d0a77

      SHA1

      f22863e04cc1fd4435f785993ede165bd8245ac6

      SHA256

      30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

      SHA512

      35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

    • C:\Users\Admin\AppData\Local\Temp\$$aD3A.bat

      Filesize

      721B

      MD5

      bb668279dd030fa271e6b76ec9d4a7c3

      SHA1

      0adb2608844460d73c03b472d42e5b58ddfcdeaf

      SHA256

      9632c5fa0bc28ab9d112ac7476a5d5012e6ce0f524e2ad6560e81df3390aaed7

      SHA512

      7528f0cdfa5b0770b0ab5da8fb252e5cab0d7ec56e28e7da6411bde66ebc9b0a1a3e0010b9f9e98d0f1fb715d00ea74176cb8c6954a6bf5acd8ece43c21509ea

    • C:\Users\Admin\AppData\Local\Temp\3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe

      Filesize

      2.7MB

      MD5

      e72c3792eeca960eb226ce7617af496e

      SHA1

      313450b94d7992aeb75d6974befe640211bd4c0a

      SHA256

      f7fb426e37a4dca83f0282b0414935ed7c34041d9399d2e653bc1db3db052c39

      SHA512

      14f834719da9211197e7b64ce4e30436d91583fb244eecf992ad2fe394f5a0df5904ff3817c1c713bfa4baa49357df55f4e2a81e380a7dacca2ee313dffef31a

    • C:\Windows\rundl132.exe

      Filesize

      26KB

      MD5

      ef9a234000c71dec7218ebd161c31528

      SHA1

      665974a14335eca0a7bfa7f31a9be5030bf648bc

      SHA256

      019a31bff074fe18b08b5658fd9785b4ddda40f31cb22960b4763419d60832de

      SHA512

      2a00ed53cb840fe75c2afa52e0f136d7fd1c0da4727e0d59961d839b6f6285cff93b462948ba3c01ac4fc1f815127ca976709f3ec2ce18495e01bde7098d1a8f

    • F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\_desktop.ini

      Filesize

      9B

      MD5

      fab909adf44de1f9f5c010f5b08064fc

      SHA1

      66c566239c73b8f0695b54a16d46a19f91a35530

      SHA256

      da68d59f0202ebe993c367c926227dbf018434225163ab2f6121c12f2cdc5f65

      SHA512

      01bd95ec2c9e61e637533d76965e8c81bfd4309a208cd823ee01158511e0e9db298e55c833c1a60732ddfedf085c157f70924b6a1550dc9297826186be547fad

    • memory/1244-32-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

      Filesize

      4KB

    • memory/2632-36-0x0000000000580000-0x0000000000581000-memory.dmp

      Filesize

      4KB

    • memory/2632-30-0x0000000000580000-0x0000000000581000-memory.dmp

      Filesize

      4KB

    • memory/2660-17-0x00000000003B0000-0x00000000003E4000-memory.dmp

      Filesize

      208KB

    • memory/2660-16-0x00000000003B0000-0x00000000003E4000-memory.dmp

      Filesize

      208KB

    • memory/2660-18-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2660-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2672-34-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2672-49-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2672-95-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2672-101-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2672-610-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2672-1878-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2672-43-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2672-3338-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2672-23-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB