Overview

overview

7

Static

static

3

1aa7b0b0a8...cb.exe

windows7-x64

7

1aa7b0b0a8...cb.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 21:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1aa7b0b0a8c4155233d7800cb914c43e86db08fedc570f16865c8eb37c8316cb.exe

  • Size

    227KB

  • MD5

    410cf00310cdfcabb7cd2dbf1914bb56

  • SHA1

    23ab165c3c02c793518d8f06661b0d225db0d4c4

  • SHA256

    1aa7b0b0a8c4155233d7800cb914c43e86db08fedc570f16865c8eb37c8316cb

  • SHA512

    00f2a4a3582f8ff2311973971b22bec33190f183ad168c05ddad4f6434fb31ca91124eaf1c56ef78fa8ac35bc6dca2e4364c4664d850b81c28aba4f60baacc0b

  • SSDEEP

    3072:pdkuJVLUdeKzC/lzMPySe8DnpeIPipoHbKvXWXz9LRnsaJUS+6wPXD3fxNW7gq5n:UuJWdeKzC/leySe8AIqpoHbnDns1ND9m

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\1aa7b0b0a8c4155233d7800cb914c43e86db08fedc570f16865c8eb37c8316cb.exe
        "C:\Users\Admin\AppData\Local\Temp\1aa7b0b0a8c4155233d7800cb914c43e86db08fedc570f16865c8eb37c8316cb.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2364
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA728.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Users\Admin\AppData\Local\Temp\1aa7b0b0a8c4155233d7800cb914c43e86db08fedc570f16865c8eb37c8316cb.exe
            "C:\Users\Admin\AppData\Local\Temp\1aa7b0b0a8c4155233d7800cb914c43e86db08fedc570f16865c8eb37c8316cb.exe"
            4⤵
            • Executes dropped EXE
            PID:2728
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2568
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2160
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2488

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      474KB

      MD5

      e00bb37f2870de4ab176bfec72cf7d6c

      SHA1

      921f2f71ea208b9ccfd5d9cf6cf0620379a34245

      SHA256

      fc9817a352ebbf8890eb2849fd80a0af54ca93b38965f512d7caf691b41a622c

      SHA512

      946d88acf60b8da3c6cbd2af7137b66086d8849b1b36963f3d86b5eaee65667f64b9acf01482380e1d4805a9f42f14541bde97278d03fee9b86a1fa0bee3bfd2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aA728.bat
      Filesize

      722B

      MD5

      0cca7e408cc74cfbfb2fda33f3a989a1

      SHA1

      5013bef2654b9ed19991ea4438ccf0b9556be8b9

      SHA256

      a8b5b444e0a30fdf6bd31f72fb999eb858c8881d4c2d747043c952d1f818fa6a

      SHA512

      9cd7780a50caf6ba457cba97bd23f83b49a69df38f4cbe2f3ec6ae979f1db34bd6b787329f4c1f8ed3c34e57a75b18dc7e2dd121ae5dfaf6de95f76d194fccf3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1aa7b0b0a8c4155233d7800cb914c43e86db08fedc570f16865c8eb37c8316cb.exe.exe
      Filesize

      198KB

      MD5

      e133c2d85cff4edd7fe8e8f0f8be6cdb

      SHA1

      b8269209ebb6fe44bc50dab35f97b0ae244701b4

      SHA256

      6c5e7d9c81a409e67c143cd3aed33bddc3967fa4c9ab3b98560b7d3bf57d093d

      SHA512

      701b7d1c7e154519d77043f7de09d60c1ff76c95f820fc1c9afca19724efb0847d646686053354156fd4e8a9dab1f29a79d3223f939a3ff1b3613770dc8603b1

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      29KB

      MD5

      fd12aea21ff2c350162bcd3d2a9699d8

      SHA1

      6164f1eb5148cdec25615a4f01dcba4cdd0061dd

      SHA256

      741e4e569a8c103af61c5fac46266974ae6b49c6ed2a20923cf21d4ae675653f

      SHA512

      d803227aaac9756c2b47ae326eed208a5c4afb8f4791d447fa566b05cd066f2802d985af64e4ece5cb18198fd3fe3ac3504faf0f2bd41eee97a202ab1bb5a09d

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\_desktop.ini
      Filesize

      9B

      MD5

      cd0bf5c2efb8cc7ddbff2ab5d2cb7e87

      SHA1

      6830a1817f2055b6beba9063b87af16bbef7fa19

      SHA256

      d00701a279110fcafdaa6a9dcb36385845f9d2aac5b1ac1c52c015c61718dcbd

      SHA512

      6fabfd6bced63153d3dd6b376a92e824c95b15ef046607b89376a17c7ac863e92c95770ed86d8ecec3639d280dd6256a7ab1ec2d8119799fb3a479fbce96254a

      Download Submit

    • memory/1192-29-0x0000000002B00000-0x0000000002B01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2364-16-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2364-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2568-18-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2568-38-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2568-44-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2568-90-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2568-92-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2568-97-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2568-492-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2568-1874-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2568-3334-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2568-31-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download