Overview

overview

7

Static

static

3

38071126e7...d7.exe

windows7-x64

7

38071126e7...d7.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 12:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38071126e763492b2983e53f936cc1acfc8118e9282498edd61511dcbb7fa5d7.exe

  • Size

    713KB

  • MD5

    8f611028b6eb10f2dc91d3515b62fcba

  • SHA1

    4431412ab5f057b64f592f48dc8ba8a948ba4a3a

  • SHA256

    38071126e763492b2983e53f936cc1acfc8118e9282498edd61511dcbb7fa5d7

  • SHA512

    1ca318ce6b038ab563cbde483be4121069aaff4c1ef646e2344cf36f4ec034a265e8e2147c0279cd36d708b26951a9a4f26bc694fb8d942a0964cf68a27a40a6

  • SSDEEP

    12288:bfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:LLOS2opPIXV

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:1124
    • C:\Users\Admin\AppData\Local\Temp\38071126e763492b2983e53f936cc1acfc8118e9282498edd61511dcbb7fa5d7.exe
      "C:\Users\Admin\AppData\Local\Temp\38071126e763492b2983e53f936cc1acfc8118e9282498edd61511dcbb7fa5d7.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aADBD.bat
        3⤵
        • Deletes itself
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2392
        • C:\Users\Admin\AppData\Local\Temp\38071126e763492b2983e53f936cc1acfc8118e9282498edd61511dcbb7fa5d7.exe
          "C:\Users\Admin\AppData\Local\Temp\38071126e763492b2983e53f936cc1acfc8118e9282498edd61511dcbb7fa5d7.exe"
          4⤵
          • Executes dropped EXE
          PID:572
      • C:\Windows\Logo1_.exe
        C:\Windows\Logo1_.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
    Filesize

    254KB

    MD5

    ed9f0ef9c1a51f3bf8e890943d6e4388

    SHA1

    8b82939b7c42224dc54f01923ff8dac9b8369324

    SHA256

    9341690494eac1a6fe0963f9d65299ed91d7e06181932eb609f3e44b09bf0e81

    SHA512

    8e84e37330eb2ff3a9bd46fc743fc727e748fede576cbc8810274a0b905942b90270d5f4aab8f41ac914b87ca722caaf3b82993bb127bf6ea6c725d56e8c6736

    Download Submit

  • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
    Filesize

    474KB

    MD5

    435ec7fc3558bdbf956705f3e0282fef

    SHA1

    ae79ad9fc50e6dd539a4e56937475ecd1a7b13df

    SHA256

    59bff9f5ce89ab0392f0fa0dfe0cb65faa91c2d9a5fe3ad50ad26db603503174

    SHA512

    dc8036e8dcf28f05a4b58093c9c5b3cf4909abf441fd296979325f3e6ba9db35f78107bad9988c5c440e0521685cdafbd78f77c7f6ed63d6933ffcaeb8bee4bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\$$aADBD.bat
    Filesize

    722B

    MD5

    7242f575c533771653cbc450c0c1d803

    SHA1

    dad3a2d6c42554a9166d9e1209d7149737b1b821

    SHA256

    5f05bf85f0d875a34ab7b67fc0fed675582264dd1b9d195808c066396b44b86d

    SHA512

    76dcfd67b63f822aef2089a390e4a940f6eb03a2c4a1a0f797255a0eb5b4833625baf70f885dc5ed181cc767f1da884b52c445f714419a2cf84c2c41605f36c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\38071126e763492b2983e53f936cc1acfc8118e9282498edd61511dcbb7fa5d7.exe.exe
    Filesize

    684KB

    MD5

    50f289df0c19484e970849aac4e6f977

    SHA1

    3dc77c8830836ab844975eb002149b66da2e10be

    SHA256

    b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

    SHA512

    877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

    Download Submit

  • C:\Windows\Logo1_.exe
    Filesize

    29KB

    MD5

    02c3a4e7f369c64fcc4c92be92bc6e29

    SHA1

    031a8330543a7a12de06d356e5e2b75ec8bf760a

    SHA256

    a737dfa46ed58e1ac2264b44e764be23b0d8548717967a4494c13d7669638ac0

    SHA512

    69469ae10b8942fb7ba0e72b47e375dffb31dca5fd8a9ef738dad403b19d17b0e4bc55ebb4d25244d5d99e9e99972bc80675f16554bb8f72f17bfa7d010fa76f

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-1385883288-3042840365-2734249351-1000\_desktop.ini
    Filesize

    9B

    MD5

    01a8a4ee3580d4da5c60557485bef735

    SHA1

    f792412989fd2ce56b5d859cceef65819bf0ddf0

    SHA256

    e2897bad6bc31a67e597a2ef77fce6939385cf6bd64587f2cc006436c43a4f2b

    SHA512

    8ae193b79f1861b54d2a26031b161bf9aa6929661871de0f2c1cd1db91c5384244332bafc72bea107045eb0b41d876053ce11f5ce70147832f1871816c641145

    Download Submit

  • memory/1124-32-0x0000000002D50000-0x0000000002D51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2148-34-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2148-42-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2148-48-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2148-94-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2148-101-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2148-389-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2148-1877-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2148-18-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2148-3337-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2404-0-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2404-16-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download