Overview

overview

7

Static

static

3

5073d28b9f...c0.exe

windows7-x64

7

5073d28b9f...c0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    18/08/2024, 16:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5073d28b9f9c5801c2450785f26f0fce06c88864ece57d5f3ebedc5e70030fc0.exe

  • Size

    662KB

  • MD5

    749df83a7dba790f68372b526d9bddfe

  • SHA1

    e2b40c61ccbf2443b3d04616d4720b218b493c0d

  • SHA256

    5073d28b9f9c5801c2450785f26f0fce06c88864ece57d5f3ebedc5e70030fc0

  • SHA512

    75fb9f871adf5aa8ce73bdfdb2089d82493e7168d16fc7e4309aceec41ab80d24ce0f4885de161d474dde28ae133198612015e57e1b64cbc97f0c8ec305e2352

  • SSDEEP

    6144:iuJpC9LRU0ySj14WH+JPb7uL8zRMnJjNhAp7SO8zRMnJjNhAp7S8FRcdEKFVAh7f:4PFlTz

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1412
      • C:\Users\Admin\AppData\Local\Temp\5073d28b9f9c5801c2450785f26f0fce06c88864ece57d5f3ebedc5e70030fc0.exe
        "C:\Users\Admin\AppData\Local\Temp\5073d28b9f9c5801c2450785f26f0fce06c88864ece57d5f3ebedc5e70030fc0.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5B79.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Users\Admin\AppData\Local\Temp\5073d28b9f9c5801c2450785f26f0fce06c88864ece57d5f3ebedc5e70030fc0.exe
            "C:\Users\Admin\AppData\Local\Temp\5073d28b9f9c5801c2450785f26f0fce06c88864ece57d5f3ebedc5e70030fc0.exe"
            4⤵
            • Executes dropped EXE
            PID:1072
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2956
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2952
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2756

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            254KB

            MD5

            3ca1bf22fc4c86f1ffd00a866ab6ff39

            SHA1

            059063c11ade4cafeb9eea49592aa4a049ee9269

            SHA256

            1123254ef1434c7002e054e89afbbb5a47cba9aff92916c03203e3dff7704220

            SHA512

            5ff6e33ff4e45571b0684ddc95e4ffaf8260151b2fcd2ae9be2bd72be27ee8e8364e2185e1df5f1019e9d9d937b757bcd538483ca12d0eca6cc7f36bd88d81b0

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            474KB

            MD5

            6eabc463f8025a7e6e65f38cba22f126

            SHA1

            3e430ee5ec01c5509ed750b88d3473e7990dfe95

            SHA256

            cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

            SHA512

            c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a5B79.bat
            Filesize

            722B

            MD5

            36b401719d1f0b048410a84ca3c33b2c

            SHA1

            0be59f4bbb93a8f3697057936ce42813bee6f978

            SHA256

            ec5df644df89fdd2d203b20b47580df623c42d88f189578ebe0b7d850e404b6f

            SHA512

            ff2f4b6fac546251226156cf0cf81916d525f4c9004bcacfca89ba3385db77b0faedaee0cd77748c18c377046a92cc9dbf53a2b65f530e45f9f716e97d76e692

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\5073d28b9f9c5801c2450785f26f0fce06c88864ece57d5f3ebedc5e70030fc0.exe.exe
            Filesize

            633KB

            MD5

            2e0d056ad62b6ef87a091003714fd512

            SHA1

            73150bddb5671c36413d9fbc94a668f132a2edc5

            SHA256

            cb83f04591cc1d602e650dd5c12f4470cf21b04328477bd6a52081f37c04bd7c

            SHA512

            b8e920f8b7547aec6f5771e3e6119b01157e5e36a92c67142b0d73ffe0d501d933581e1fc752e5bba9ce819e3897be9c146bebfc0018e91318b0c99d188a2580

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            29KB

            MD5

            668b9b2a023470ef8e41a8dd5913892a

            SHA1

            9459ca7efe49aa5573e0fca1c160c54dae9c2170

            SHA256

            033b6cc47ebe0c706b32bbf040fe93350aa0118b49837fb97d3912542c37fb58

            SHA512

            6c894b1c1610a888e5f8ddd204e4e3d150a73248c582fa305832e6e40a9b7f4cee4c10e5f7bb7a793714e89ca535f40c8f042ba4b51e1ac316e1644cb5b67c6d

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\_desktop.ini
            Filesize

            9B

            MD5

            36657916738d378a6daf6ec7b690badd

            SHA1

            e4d3726bd02e1e99b12ada04a242fd6ef7c2843c

            SHA256

            7cd83d4ff3f3c6844b544fa7790bc1e7ed8bf829627657544861ac726071831c

            SHA512

            b7878056ad1c2294fb0e659eee6c7861948010b69a43930d8a243f61cebbea83fcd6fb11db19c01f731a925a7a744c6cc4de2eb0ffdc3863acf71e4cc05b2d6b

            Download Submit

          • memory/1412-30-0x00000000026F0000-0x00000000026F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2712-16-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2712-33-0x0000000000310000-0x0000000000346000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2712-0-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2712-18-0x0000000000310000-0x0000000000346000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-34-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-41-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-47-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-93-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-100-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-181-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-1876-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-3336-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-22-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download