Overview

overview

7

Static

static

3

37671ff659...09.exe

windows7-x64

7

37671ff659...09.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 10:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37671ff659bee691c81ee4a50296309b309c748d8048537a6437374323485d09.exe

  • Size

    573KB

  • MD5

    6a9cce6c17b6d97d4f8c25099ba1bad7

  • SHA1

    01e7352d898693294463f9f4fc5afa8c1e4c135d

  • SHA256

    37671ff659bee691c81ee4a50296309b309c748d8048537a6437374323485d09

  • SHA512

    c05a626f188b1526765e003bcd73c61864fc6b34eac9b8a42227bf73d9fbcd423f64c0850dfa957468c50fef81f058554080ad08955faf23b246a4ef882b8f2a

  • SSDEEP

    6144:aMSuJ0E7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQL:j7a3iwbihym2g7XO3LWUQfh4Co

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\37671ff659bee691c81ee4a50296309b309c748d8048537a6437374323485d09.exe
        "C:\Users\Admin\AppData\Local\Temp\37671ff659bee691c81ee4a50296309b309c748d8048537a6437374323485d09.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:868
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDE4E.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2332
          • C:\Users\Admin\AppData\Local\Temp\37671ff659bee691c81ee4a50296309b309c748d8048537a6437374323485d09.exe
            "C:\Users\Admin\AppData\Local\Temp\37671ff659bee691c81ee4a50296309b309c748d8048537a6437374323485d09.exe"
            4⤵
            • Executes dropped EXE
            PID:2652
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2736
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      474KB

      MD5

      534b3a473ca3d525541b1289b316404f

      SHA1

      c1e408bf066852bc1ebdbb3a9e835932e3e7bb72

      SHA256

      f9719cc66a7a6dc9ff57786e474a1868b6696b4468dfc0f915533acea44291ca

      SHA512

      99b77d6860209d482448490a6afde3d3144c8ca1a838d97de66c758f9ebab8b21a51f3257cd7b191cb4f254ba2f04ae69a8b5f29a9c95d768d400fb5e8f1e330

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aDE4E.bat
      Filesize

      722B

      MD5

      c77c0e37151e44ac61723d235590e7bc

      SHA1

      215564075be97010f58fad7bd8b0fe66f0ab121d

      SHA256

      d9ffda6de9e6410e82efa0ff987d5a76e511d8bea55aefafc6ce82daf8ff09fb

      SHA512

      0b70f0a1dbff457a77095e64e8f2c4fe5b7e6655a374dab5621b2d3d62a1c093f3d55c267b95f441e90c7b3deede25425ea971f2da61a91d1d1a8b3a287d230f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\37671ff659bee691c81ee4a50296309b309c748d8048537a6437374323485d09.exe.exe
      Filesize

      544KB

      MD5

      9a1dd1d96481d61934dcc2d568971d06

      SHA1

      f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

      SHA256

      8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

      SHA512

      7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      29KB

      MD5

      2d7a4af1cab99363a241742f3d79331f

      SHA1

      54fcc2b39924a6d04a013829c65e0534f0ce057a

      SHA256

      7064441e44c136f1017438c56de5bacee8b01305719b9ec273cd97be9d70f0c5

      SHA512

      ddce35d81100d9766d26c63102aa5e50d959519f1a9929a2f6461d3aa5babe31b8e64d42e25778ed63161b1c06a4802d5f1a0dca8378e57765d903efe3c69956

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\_desktop.ini
      Filesize

      8B

      MD5

      646a1be8fae9210cfba53ee1aab14c96

      SHA1

      8677ff347131a9c8304f10b48012ebd8b075030c

      SHA256

      660d57a3dc71884e70a9cbd6ca26d02872f4706abeb098c6d35f6b217462edf5

      SHA512

      812b716a422628d486a4c78c66a85c641f13976537fbd452e14fab9a6c440b442632df04de8437c485c9c8164e3b3499201d3dbe681b36fe6bec749df1ab75e4

      Download Submit

    • memory/868-16-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/868-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1208-29-0x00000000025E0000-0x00000000025E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2148-32-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2148-40-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2148-46-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2148-92-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2148-99-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2148-323-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2148-1875-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2148-3335-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2148-18-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download