Overview

overview

7

Static

static

3

60bfe4a1ca...0e.exe

windows7-x64

7

60bfe4a1ca...0e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    01-09-2024 06:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60bfe4a1ca8a0ea66bcfdc80ab1f534d49e3ceb01227528c27801c416008ed0e.exe

  • Size

    88KB

  • MD5

    af6f602b4a43f3311d4899c157d6247b

  • SHA1

    dd5eb66458427c601a1cf51e050efff98dba2c4d

  • SHA256

    60bfe4a1ca8a0ea66bcfdc80ab1f534d49e3ceb01227528c27801c416008ed0e

  • SHA512

    92545534a2d1ed163d9a87535b628aae961b40c4435324b82f7e850b667c688f4c69df79b615a7ca3aad1dc956dab5f064da8a2853d2f02f92ca717d68c16d6d

  • SSDEEP

    1536:peJ3SHuJV9Ntyapmebn4ddJZeY86iLflLJYEIs67rxo:peJkuJVL8LK4ddJMY86ipmns6S

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\60bfe4a1ca8a0ea66bcfdc80ab1f534d49e3ceb01227528c27801c416008ed0e.exe
        "C:\Users\Admin\AppData\Local\Temp\60bfe4a1ca8a0ea66bcfdc80ab1f534d49e3ceb01227528c27801c416008ed0e.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2160
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aFDDF.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Users\Admin\AppData\Local\Temp\60bfe4a1ca8a0ea66bcfdc80ab1f534d49e3ceb01227528c27801c416008ed0e.exe
            "C:\Users\Admin\AppData\Local\Temp\60bfe4a1ca8a0ea66bcfdc80ab1f534d49e3ceb01227528c27801c416008ed0e.exe"
            4⤵
            • Executes dropped EXE
            PID:2792
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1320
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2660
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2716

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      254KB

      MD5

      f92b902a6578703e64b67f90b6ffccc4

      SHA1

      c6aa60e22abb9d95ba0154ac54fb5ae74f7262e7

      SHA256

      84ef98dbb02ad1519ea0f72bc49b1be6e24f47943cc3e02327442c3f52d96451

      SHA512

      5b37b0bda9228c04a20ece216cc66573479c0abcaf76144548fc9cc31a116d821ac469ea8f5f699f5638d2e5bd7a25df716994faefb9f47c37c5646107418eb1

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      474KB

      MD5

      c14a5111b798cff20d7d66b0e035d409

      SHA1

      29f0894552b30815fed6ad231b5721e876869552

      SHA256

      fd6f57dc1b82f6301cbecbf9db5728a9a69b10e3edbf4f8a1dfef571c77a6cb6

      SHA512

      a4d8b74216c76fa3d48ab7300452725602bc6d5bcc0e6c23d458d65362cd24751f23755180ae69633090b172e95f18f225c0cb4a71dd1e050d8b3dff466e7f1b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aFDDF.bat
      Filesize

      722B

      MD5

      56085c3225f5a5b0848651f23791fb3e

      SHA1

      4ecb37e08cc9581e2fc824c9c365e48a5427d8a9

      SHA256

      57919210e1d204a2b9bb90584974456f59edeb17d15573858a632bfd67beec95

      SHA512

      6179e76cb8450955bf987df4dd31453f362e276ff5790b58fc86e2947cdaaa0c01a68e0c8cb8d40fe6e762d6853248e2cdf7e884bb3970e93aef4a447019a71d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\60bfe4a1ca8a0ea66bcfdc80ab1f534d49e3ceb01227528c27801c416008ed0e.exe.exe
      Filesize

      59KB

      MD5

      dfc18f7068913dde25742b856788d7ca

      SHA1

      cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

      SHA256

      ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

      SHA512

      d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      29KB

      MD5

      4ec2047773672aa95997b5e9bfe029b9

      SHA1

      cc75c24092829cddba5ca4672a607e037acca4ca

      SHA256

      bedc248003e0af924d9bfdac50741f22955ac912be17efc6bf8385c782525c02

      SHA512

      d131935964fcdcd97c8c04bbb56800800a69ede9d702f5a33d3dd776275a32871842c9f5cc8cd1e747807ec102ca7fab6a9b7343341e1bcf0b691c7135f12fd7

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2172136094-3310281978-782691160-1000\_desktop.ini
      Filesize

      8B

      MD5

      4b4a61d6d446a36ccde31e7ebd6e7aeb

      SHA1

      6abcca1983b34a570385eb5b421b92449c851dfc

      SHA256

      d685543d9800644339454e98bc6c2f9ccea646fd51fdb5181583ca60fcdef8e9

      SHA512

      c25ac03153db7beb8b163c82e5ef75e916346047a00202825b79797b6259f877eea6fac6ea333743d7e423d5fc65d713e9e0cafc0631321beab8ae01ede9ee65

      Download Submit

    • memory/1196-29-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1320-97-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1320-31-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1320-38-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1320-44-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1320-90-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1320-272-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1320-1873-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1320-3333-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1320-18-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2160-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2160-16-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download