Overview

overview

7

Static

static

3

92442780a2...0N.exe

windows7-x64

7

92442780a2...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 12:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92442780a2356d7658c34de8fd4c6d20N.exe

  • Size

    70KB

  • MD5

    92442780a2356d7658c34de8fd4c6d20

  • SHA1

    27b7e40b6f6652deec21455af380157184056108

  • SHA256

    e6be95246b17e1bfbd995166137c9aa90ee70a927a59aee212ac07ac2c4558e1

  • SHA512

    1af9ad316271219fde5b98e13b7a2c1f5432918f46f81939a2426a78ada202008344dbe4d9f2beae7573bc0187920ecae889db60711351a19f52f4344c95cc3e

  • SSDEEP

    1536:pZ13SHuJV9NdEToa9D4ZQKbgZi1dst7x9PxQ:p/kuJVLtlZQKbgZi1St7xQ

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\92442780a2356d7658c34de8fd4c6d20N.exe
        "C:\Users\Admin\AppData\Local\Temp\92442780a2356d7658c34de8fd4c6d20N.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2396
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBF59.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:532
          • C:\Users\Admin\AppData\Local\Temp\92442780a2356d7658c34de8fd4c6d20N.exe
            "C:\Users\Admin\AppData\Local\Temp\92442780a2356d7658c34de8fd4c6d20N.exe"
            4⤵
            • Executes dropped EXE
            PID:2728
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1832
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1620
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2424

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\$$aBF59.bat
      Filesize

      536B

      MD5

      1590314824ef2c5a8b160de2e4dd6ccd

      SHA1

      006df78dab0224d801d814a92c055d376588fd5f

      SHA256

      2ccdeb9ee9d04fb6413de088a872cd2614486f7ef9c9aa8f2a2f093072b71698

      SHA512

      38da43d631455c50292b71cc553ae83ecfc41774f86ac7f91eead71a1bcda9ff5d5a9c9f5362e1ea495d34d4dcc5cc382a3c9f73e4388a5e779ef9e2938cd3d9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\92442780a2356d7658c34de8fd4c6d20N.exe.exe
      Filesize

      41KB

      MD5

      977e405c109268909fd24a94cc23d4f0

      SHA1

      af5d032c2b6caa2164cf298e95b09060665c4188

      SHA256

      cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

      SHA512

      12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

      Download Submit

    • C:\Windows\rundl132.exe
      Filesize

      29KB

      MD5

      0a22c1ea4b867a82271e2173bbb7ccfb

      SHA1

      cae0f4ee49b426c3eefe5af8da008be2d09e2b6d

      SHA256

      e01d2dfa8289fb6d4483e18e8f3f8eecea75b783e401908c227f87078195eddf

      SHA512

      b940cb99532fb7830dcd6f6b52fd933ca1431b21b4233703c48013fb612246300029b725aecfcfae33879581d59e6f5f7c033db084c65e848c4b8b5c97cb2e77

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\_desktop.ini
      Filesize

      9B

      MD5

      cd0bf5c2efb8cc7ddbff2ab5d2cb7e87

      SHA1

      6830a1817f2055b6beba9063b87af16bbef7fa19

      SHA256

      d00701a279110fcafdaa6a9dcb36385845f9d2aac5b1ac1c52c015c61718dcbd

      SHA512

      6fabfd6bced63153d3dd6b376a92e824c95b15ef046607b89376a17c7ac863e92c95770ed86d8ecec3639d280dd6256a7ab1ec2d8119799fb3a479fbce96254a

      Download Submit

    • memory/1200-29-0x00000000024D0000-0x00000000024D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1832-39-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1832-31-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1832-18-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1832-45-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1832-91-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1832-98-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1832-360-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1832-1874-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2396-16-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2396-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download