Overview

overview

7

Static

static

3

27ae3ea4dd...2f.exe

windows7-x64

7

27ae3ea4dd...2f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-09-2024 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27ae3ea4dd4fdff2b447298edbef6033104126c46cd7f8c163659ea12913322f.exe

  • Size

    136KB

  • MD5

    24f1a3665d2e8debfa8b6ba55561df48

  • SHA1

    5577d5985b111d3e3fdf077c6e45527dbf9c305a

  • SHA256

    27ae3ea4dd4fdff2b447298edbef6033104126c46cd7f8c163659ea12913322f

  • SHA512

    082d56545f37720e57adb776b5a6ad9b76071f18edfece387a6fdf29d7f0cc2cad05fdcd0eb78c609331b8b2e99675c6e654d6047943c46602f7f53d98c8410d

  • SSDEEP

    3072:oftffjmNUEcXdw/M+0vkLOj0udo5rzahM9:4VfjmN+6JOYuy5Hac

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1248
      • C:\Users\Admin\AppData\Local\Temp\27ae3ea4dd4fdff2b447298edbef6033104126c46cd7f8c163659ea12913322f.exe
        "C:\Users\Admin\AppData\Local\Temp\27ae3ea4dd4fdff2b447298edbef6033104126c46cd7f8c163659ea12913322f.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:828
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD143.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2480
          • C:\Users\Admin\AppData\Local\Temp\27ae3ea4dd4fdff2b447298edbef6033104126c46cd7f8c163659ea12913322f.exe
            "C:\Users\Admin\AppData\Local\Temp\27ae3ea4dd4fdff2b447298edbef6033104126c46cd7f8c163659ea12913322f.exe"
            4⤵
            • Executes dropped EXE
            PID:2832
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2328
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2424
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2860

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      251KB

      MD5

      e741eec1cc1c39e347cc923ad822c6ce

      SHA1

      11e83bc362aac4daf0f21aba1d70998cc9c796f6

      SHA256

      ec59a4af66da09be379f8516fd48c96023588f34e3012ef939e67eebfd480fbf

      SHA512

      e2d4dd97ba1604d1b006892117b28c4708a5692df88a3d82f311c76a39d3c48b30e6ec3a80993aa2108b9b7cff0f7daadb9c22bfb623a0cff14e11da4093bf0a

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      471KB

      MD5

      4cfdb20b04aa239d6f9e83084d5d0a77

      SHA1

      f22863e04cc1fd4435f785993ede165bd8245ac6

      SHA256

      30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

      SHA512

      35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aD143.bat
      Filesize

      722B

      MD5

      c794e800a38cad45a0d17acfac4004fb

      SHA1

      2ba9e6a0f01415bfcfe66fcbf8011ffd1ddf1a46

      SHA256

      a35b4f62a4bd070de75fc066761d4eb7df7759bf5b6184ef1fb3d064302a47da

      SHA512

      41a82cfa7299fd7b36db9b180c9588344d8f663ba156a16bc37a4ac7db111a6f9529025cc36d7cfcc7930cab3bff27c0cfa5328da6eab418cef2c27f42995b4b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\27ae3ea4dd4fdff2b447298edbef6033104126c46cd7f8c163659ea12913322f.exe.exe
      Filesize

      110KB

      MD5

      269f0a767c1d8ac7480795a94e0e2b79

      SHA1

      041006a33fff863a72f46b6637abbf05f81bbac1

      SHA256

      17772f59c1f0a0b5c6131c64e68efed8eaf99cba9c2b8b39133ae5481bb90395

      SHA512

      546554125e278c6c1ba931811526bfeac286d6bc2374b56b31140f82f47c309a5bfb938f747693334712b3f241ed98e79184a103440e78ef89efff7efac8df31

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      26KB

      MD5

      805eb0ed66c18e1531e50f439bd22fe6

      SHA1

      c950b6aa47401447d6e25784e84ffbf33c649a22

      SHA256

      c29a834c4a3081af2865ccdd21dc8255ce461cbc601ea9a30cddf6a6e18df4e2

      SHA512

      d06e428f19253a44ccc30692afa7237aea6c6b800bd959321084520de29837fb17b775349c69c224925c2b462adad4214ee59a05bc9cc09dde9de7689b9efb93

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\_desktop.ini
      Filesize

      9B

      MD5

      475984718232cf008bb73666d834f1f4

      SHA1

      12f23c9301c222f599a279e02a811d274d0f4abc

      SHA256

      a5b32591119f87eb3c8a00c0c39e26ea6d6414aa9887d85fcb4903e1c14921b5

      SHA512

      80235dc2560b7991d79f9550cdeca6ac02c00cee6bf186f8f20d4ff3fbd7718be937b73ab768d71c4027e153557b08bbfd95ea88d2e0857a7c70cf1da6fa9937

      Download Submit

    • memory/828-16-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/828-17-0x0000000000220000-0x0000000000254000-memory.dmp

      Filesize

      208KB

      Download

    • memory/828-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1248-30-0x0000000002A10000-0x0000000002A11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2328-32-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2328-45-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2328-91-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2328-98-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2328-328-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2328-1874-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2328-39-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2328-3334-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2328-19-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download