Overview

overview

7

Static

static

3

c533f642d6...33.exe

windows7-x64

7

c533f642d6...33.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-09-2024 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c533f642d6100018650ac1ca68e3e9065e7a7d79d4689ace3684e6f98bbee133.exe

  • Size

    605KB

  • MD5

    8a6afc4c2f670cba68b3e3a55ab0d275

  • SHA1

    23a75ecaf493725a93a39ce997f9ac5257c9ecb2

  • SHA256

    c533f642d6100018650ac1ca68e3e9065e7a7d79d4689ace3684e6f98bbee133

  • SHA512

    d2a821a3f0ef0d78b4bd400e46b014f2a501de56df6b4f74cb55e44b8cd19eb6c5b879d4a0ae3d9f2678c67df2d41387d76b4b7663db0611fb267ce1b8def7ca

  • SSDEEP

    6144:hVfjmNXvmOBXyDkJO4i8QUFvpLdJIO6MsubRuQM2NAxvQhKnmyc45tP/iYT:X7+Xvz/JQ0AxvSlM

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\c533f642d6100018650ac1ca68e3e9065e7a7d79d4689ace3684e6f98bbee133.exe
        "C:\Users\Admin\AppData\Local\Temp\c533f642d6100018650ac1ca68e3e9065e7a7d79d4689ace3684e6f98bbee133.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDAB5.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2444
          • C:\Users\Admin\AppData\Local\Temp\c533f642d6100018650ac1ca68e3e9065e7a7d79d4689ace3684e6f98bbee133.exe
            "C:\Users\Admin\AppData\Local\Temp\c533f642d6100018650ac1ca68e3e9065e7a7d79d4689ace3684e6f98bbee133.exe"
            4⤵
            • Executes dropped EXE
            PID:2864
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:748
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2396
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      251KB

      MD5

      7ac11ecf9c463c889ce87df3d311fe3e

      SHA1

      ce270b7acdfcf8387317d6835a6f712031a3b398

      SHA256

      c19d6ef0e6b2d0a8776a84fb2f915dac93cc6cca47dfd68918c04726b4cc71eb

      SHA512

      eb3baf3668cc23255a5af23edb78206f1213e5f24adb5093825a6e56dbbd6ef715d3ec6bfc639104ffe3c17f681d6e1a70704c37adcb0482096e7bb887bb5e85

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      471KB

      MD5

      4cfdb20b04aa239d6f9e83084d5d0a77

      SHA1

      f22863e04cc1fd4435f785993ede165bd8245ac6

      SHA256

      30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

      SHA512

      35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aDAB5.bat
      Filesize

      722B

      MD5

      0a044889078623a162ac9387a4758d43

      SHA1

      527ce8f6705e1b9a3072285a04f7ccf659b8d25f

      SHA256

      42d4171d7cd43ce5608b9e8c7e60990efa0f26cb1b44aa704b91b4c58a4787ad

      SHA512

      381db41970e709d7e45c9d8a86cd2864be68f6ef720491c5bfec2e4eedab3fbe1f1d93e63e2a7a71dc735eaaeb37a228ddba7ae324dc69034aa21c570af1bc08

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\c533f642d6100018650ac1ca68e3e9065e7a7d79d4689ace3684e6f98bbee133.exe.exe
      Filesize

      579KB

      MD5

      843cbb96157de047fd569a165d023d6c

      SHA1

      58701573dbd6e4317cf611fce392fcf996f25b1a

      SHA256

      b3e3b58624289a27badf5db41781df1ef31fcb4c5a9556767f89360fbe5d6497

      SHA512

      ee12344f9a237f945ffdc395b603ea83db2d1b0996775082b5bf6ffcac63f05772f84689597c5dbbaaadf1461dbb2a7bf3af232f969477ec617f8b02e8bc272e

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      26KB

      MD5

      5a470351f22a7cc5e39cfe4bd86ca83e

      SHA1

      7ccd3612c28971f59a69b7c656628c6275a95274

      SHA256

      fcca4abc09acb79b2616c2e3d131bf68e35a33c30f8cb5263eb5f3e83bdf2c3f

      SHA512

      fe83aa3d8ecc99cb3fe5580414ce36f3f7e56b57689062df05ed16c8bc943a795588e7ceb9b4f9274f8d6a51cb54b896bf137470844d9e1442c814f021eea2e7

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\_desktop.ini
      Filesize

      8B

      MD5

      1c0fbf3204f05014248f47b58290aa63

      SHA1

      233eb8afaf33fab1e8e7c12d4a28e9ecdce776af

      SHA256

      5dad5b90d650fe88de482f53849dbbc0b9edc4e10d667217f21197ff4f9a3a7d

      SHA512

      3427d4cdaede981196902eb08658304ace7b034e2043ed0bcc5daa285e3dafab17a1256f5c148af9e048ef9469ff4b930643c09263f2bf9a8adb6a15b26c2808

      Download Submit

    • memory/748-92-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/748-32-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/748-19-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/748-40-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/748-46-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/748-99-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/748-411-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/748-1875-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/748-3335-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1192-30-0x0000000002D70000-0x0000000002D71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1980-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1980-17-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1980-12-0x00000000001B0000-0x00000000001E4000-memory.dmp

      Filesize

      208KB

      Download