Overview

overview

7

Static

static

3

90dd9a96aa...79.exe

windows7-x64

7

90dd9a96aa...79.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90dd9a96aa8ffda6797cb77fb66fa4d92aadd039a98a1923a1db2ea4ed057b79.exe

  • Size

    383KB

  • MD5

    1ad3d81781370907fa47413b556115f8

  • SHA1

    09b085e38db794cfbc43d58f747b2b40376cc35d

  • SHA256

    90dd9a96aa8ffda6797cb77fb66fa4d92aadd039a98a1923a1db2ea4ed057b79

  • SHA512

    2a14da66a86077b26290b74770c502b7687047e29c6f93a5482a2c11fb3e6d3b0d3c0f01d61e42dda33415485201c39834e9b1d2eb4a3e24fd77abc002f3c5fd

  • SSDEEP

    6144:0VfjmNu4WATf7l+psskdSMLLSATCNxFx3TQqNLz:27+uITfgps/dSsLTCNxgWLz

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3476
      • C:\Users\Admin\AppData\Local\Temp\90dd9a96aa8ffda6797cb77fb66fa4d92aadd039a98a1923a1db2ea4ed057b79.exe
        "C:\Users\Admin\AppData\Local\Temp\90dd9a96aa8ffda6797cb77fb66fa4d92aadd039a98a1923a1db2ea4ed057b79.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5EE9.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1132
          • C:\Users\Admin\AppData\Local\Temp\90dd9a96aa8ffda6797cb77fb66fa4d92aadd039a98a1923a1db2ea4ed057b79.exe
            "C:\Users\Admin\AppData\Local\Temp\90dd9a96aa8ffda6797cb77fb66fa4d92aadd039a98a1923a1db2ea4ed057b79.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3652
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4776
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4792
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4820

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      244KB

      MD5

      5aa4338434853c59bcde9d90cc7cf799

      SHA1

      2c181af79469166b7d9c1b4434fcaf0774de92e2

      SHA256

      dc87dd3d518bea8e2a0a9436ec184ae4de99e9d924eeac4b70ce1d6684fb61bc

      SHA512

      c39a896b1c32e9b1fa94711fe8fb16bd7660920139f5f053a579bfbda14be888fc75d111d11f878852169bf6054951882d5f090e19105dab796e8b0484115bcc

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      570KB

      MD5

      0a65037a70b947632f86b1405b0b81f2

      SHA1

      68714eac7d4baf1521a7e16599f34bc22a73cd67

      SHA256

      1889dfdb23441c347bb5d2e15e5ead7e5cb970937e871ae705174fad41098311

      SHA512

      1a4927435efe085b461a2eb02b097d5c500220948e3b6d07a8a83971b4371fb6d205f5d8f5fa791c274ca39aeeffadb98ac0929b2d425c05d02d10af02782a8c

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      636KB

      MD5

      2500f702e2b9632127c14e4eaae5d424

      SHA1

      8726fef12958265214eeb58001c995629834b13a

      SHA256

      82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

      SHA512

      f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a5EE9.bat
      Filesize

      722B

      MD5

      f1e8d6acd442f6eb0d58029eb3baeb86

      SHA1

      ab67b0319edf36f71da6da9d858abc60f44bebb2

      SHA256

      afe4cedece092e1fa3986f08e57946a750486a01e4552081a75bd8950387a7be

      SHA512

      0f1e30e913718e4f4b695e23599f8653c9e0f29d495875fca4898b6cc7927462a49f222ebecd709f6f21f5a4265d739ec5ee85e0961d07cedb6ea13ee5571fec

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\90dd9a96aa8ffda6797cb77fb66fa4d92aadd039a98a1923a1db2ea4ed057b79.exe.exe
      Filesize

      357KB

      MD5

      13d397c39908367dbd8f6a271978936a

      SHA1

      f17dd2fc0304b3ce0de7d1ee07c5416d7f8770b4

      SHA256

      5f1ec77cac147c80ef32b3b1cb1ce941359e8077bba0203d9a5cb60301a38006

      SHA512

      06cc81e9616f8e7286518951636b9ce0015532f58a456805c048f17c97bdd435b490b3b5b53f290a3bce9088b9b9e16f414b0427647e4293251067a29f36b945

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      26KB

      MD5

      eef1439386c015a2051ca663969bc0fe

      SHA1

      7556ca851b74d7b07b69f2280d46a93541a2afec

      SHA256

      d5b33c767d3bd46605b4e1d6f4ba80a098b0cfba7f1dc70a6142b81ef79f9cba

      SHA512

      f1d1f6d0bbbe1e503c63c471b18e260b95433c29c8edf0090a4c35bb8567514f1796275f32446f7a9041cebef75ee69457b0a90e4163ce978175ecaa401440ac

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\_desktop.ini
      Filesize

      8B

      MD5

      5d65d1288c9ecedfd5f28d17a01a30bc

      SHA1

      e5bb89b8ad5c73516abf7e3baeaf1855154381dc

      SHA256

      3501728ad227b52ce4d4f85ddd0e6d28dfa7acce977ae27f1e337be209825a5f

      SHA512

      6177ce001dd535382c3bae5e8c3cfda85d8d8b76b68bce10fa8e5e1e748fd1512a531ffc93fef1316f2c27d93b5b4a5b60a6391f0e131ccc5cc0a65c2755868e

      Download Submit

    • memory/2752-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2752-13-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3652-19-0x000000006FFF0000-0x0000000070000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3652-21-0x000000006FFF0000-0x0000000070000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3652-20-0x000000006FFF0000-0x0000000070000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3652-23-0x0000000077360000-0x0000000077575000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4776-38-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4776-42-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4776-32-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4776-614-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4776-1239-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4776-25-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4776-4797-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4776-12-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4776-5242-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download