Overview

overview

7

Static

static

3

b9d52b79e9...0N.exe

windows7-x64

7

b9d52b79e9...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    24/08/2024, 09:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9d52b79e93d62ef5deb7a7567839940N.exe

  • Size

    38KB

  • MD5

    b9d52b79e93d62ef5deb7a7567839940

  • SHA1

    a9d63580b314d7fd1922d29ed298694815fbb7f5

  • SHA256

    7068e9a5d5452a1d38a05500a22e3be40366d42a3513e4795c0cd2dc2231f1fc

  • SHA512

    182aa92c2f62f7ea88253ef0f2012a13a7e268815e105132fc2b1d97d25985ac18b724395de5a1ebe0e1a136d20db59254a3d5eb7319c1cd628ca4c792ddf107

  • SSDEEP

    384:NbbJ1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOnJhKPMSfh:pl16GVRu1yK9fMnJG2V9dHS8WPNUGJ

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1248
      • C:\Users\Admin\AppData\Local\Temp\b9d52b79e93d62ef5deb7a7567839940N.exe
        "C:\Users\Admin\AppData\Local\Temp\b9d52b79e93d62ef5deb7a7567839940N.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA41C.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:628
          • C:\Users\Admin\AppData\Local\Temp\b9d52b79e93d62ef5deb7a7567839940N.exe
            "C:\Users\Admin\AppData\Local\Temp\b9d52b79e93d62ef5deb7a7567839940N.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2784
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 548
              5⤵
              • Loads dropped DLL
              • Program crash
              PID:2120
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2528
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1184
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\$$aA41C.bat
      Filesize

      536B

      MD5

      938dc8336f1ce5216aac0b8ccf269efc

      SHA1

      de926358cbfc4cf68d470f2f75a80dfa0af96b3a

      SHA256

      7504f33b07347a2574d9ef06ad6516a81541c2e132e6f87fe76a7cbb5e8f30fa

      SHA512

      e32930341c0ed8404ab151e2b29091ef668328d0a4708c445c6f59b514c2649ce6d38284484a8eea75098012a3333396f68b5d92eef805566361eb33b905ae17

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\b9d52b79e93d62ef5deb7a7567839940N.exe.exe
      Filesize

      9KB

      MD5

      d43613c6ae1506ca4961aaebabf19b63

      SHA1

      f0028e0908fd6bd170b3e297f137964526f2de8e

      SHA256

      34ded1f940ea26bcdb8ee34e8adfab4f234f2748f21fa4cefed8f246cabb159b

      SHA512

      84fafdd624daa3523d1e242c8a8ead793ff3df2db1eb456b2638fd78a6b3e192dfb0036ef828569c97ed522dee77347e978a5cef9c86ac9707d7d468a38bf9f4

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      29KB

      MD5

      668b9b2a023470ef8e41a8dd5913892a

      SHA1

      9459ca7efe49aa5573e0fca1c160c54dae9c2170

      SHA256

      033b6cc47ebe0c706b32bbf040fe93350aa0118b49837fb97d3912542c37fb58

      SHA512

      6c894b1c1610a888e5f8ddd204e4e3d150a73248c582fa305832e6e40a9b7f4cee4c10e5f7bb7a793714e89ca535f40c8f042ba4b51e1ac316e1644cb5b67c6d

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1385883288-3042840365-2734249351-1000\_desktop.ini
      Filesize

      9B

      MD5

      ee6da0916e43a13c40e1dec936bccc09

      SHA1

      3c41c332d37b563dad6d1c8ccec540428eae35f9

      SHA256

      0259d8b67e15053053cf5d982948c58d2c6121d2f86b7aefa7c7948979c6e28c

      SHA512

      b70fefd584ad9b4f8c71125a4be5e157cdcbccec18c7f64d235d10c98d4c6005b9c8b6261221211b48f5ceec417792d34750b488f0e2a33dfd702e0094f625a7

      Download Submit

    • memory/1248-37-0x0000000002550000-0x0000000002551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1644-15-0x0000000000220000-0x0000000000256000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1644-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1644-17-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2528-19-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2528-40-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2528-49-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2528-55-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2528-101-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2528-107-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2528-569-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2528-1885-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2784-30-0x0000000000220000-0x0000000000228000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2784-42-0x000000007479E000-0x000000007479F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2784-29-0x000000007479E000-0x000000007479F000-memory.dmp

      Filesize

      4KB

      Download