Overview

overview

7

Static

static

3

8cac402dd7...65.exe

windows7-x64

7

8cac402dd7...65.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14/09/2024, 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8cac402dd766f0d2ad3e43b33c1a28e6adefb82ba82a08bba4eab5fdce4d0065.exe

  • Size

    5.7MB

  • MD5

    4a68244d97e67cd1f860568881ef3d79

  • SHA1

    6fb54ef307e50f2bc3e0b7cd45cf6671c0c0fe19

  • SHA256

    8cac402dd766f0d2ad3e43b33c1a28e6adefb82ba82a08bba4eab5fdce4d0065

  • SHA512

    8a56738cde0b3adbc02b51283e1523cfb00450730befd72c911d85464a2933618fd83a19026ac3e0960371b218a0149a888525cb6813180d0a17d2187bd60fe8

  • SSDEEP

    49152:VPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPBJ:RKUgTH2M2m9UMpu1QfLczqssnKSk

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1228
      • C:\Users\Admin\AppData\Local\Temp\8cac402dd766f0d2ad3e43b33c1a28e6adefb82ba82a08bba4eab5fdce4d0065.exe
        "C:\Users\Admin\AppData\Local\Temp\8cac402dd766f0d2ad3e43b33c1a28e6adefb82ba82a08bba4eab5fdce4d0065.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF509.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2916
          • C:\Users\Admin\AppData\Local\Temp\8cac402dd766f0d2ad3e43b33c1a28e6adefb82ba82a08bba4eab5fdce4d0065.exe
            "C:\Users\Admin\AppData\Local\Temp\8cac402dd766f0d2ad3e43b33c1a28e6adefb82ba82a08bba4eab5fdce4d0065.exe"
            4⤵
            • Executes dropped EXE
            PID:2556
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2216
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2756
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2712

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      252KB

      MD5

      f8c390bd69061478d2fe5dd48341f803

      SHA1

      3592b4817461d537b519cb239a09bf96cda12349

      SHA256

      a4292951fcbaaf5139eff7469c6b3d75b9af1682194d4a22ce8b440d2e6adfef

      SHA512

      dc18df9fd97f10dd731ed658688fb1359b639f52f8e2b966c7e19f7b9b5ea296259ee0f37184b5c75ba39c7d36963ffe5affceb8969b2bd3ba1eb9f037eb7fc0

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      472KB

      MD5

      88eb1bca8c399bc3f46e99cdde2f047e

      SHA1

      55fafbceb011e1af2edced978686a90971bd95f2

      SHA256

      42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

      SHA512

      149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aF509.bat
      Filesize

      722B

      MD5

      ca374e3a26d3369bfdb880f17d61f60b

      SHA1

      6a7f64279ca889621377b392914b7d9baa85b545

      SHA256

      e90a67585f7a1ae184d902120bc0fa55f6c899653942d6a80d6d3925682a91d6

      SHA512

      d4e4684743215d0af9045cd9dafda0b25622d3fc3acf83e951f7cd81a9c1ce054bfd83a15f18d3e3ef9c83b0dd90f5e2e1f67ad78ea16868d4dbc5b78e72f2d2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\8cac402dd766f0d2ad3e43b33c1a28e6adefb82ba82a08bba4eab5fdce4d0065.exe.exe
      Filesize

      5.7MB

      MD5

      ba18e99b3e17adb5b029eaebc457dd89

      SHA1

      ec0458f3c00d35b323f08d4e1cc2e72899429c38

      SHA256

      f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

      SHA512

      1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      27KB

      MD5

      28f7618d6ac7640752f28eff279db335

      SHA1

      371175b345ec827c8ba1536e56b6207fad8d0341

      SHA256

      0d22e6b659c65ab784a4b55ac616ed96ca73b6e53c5258a5b62f2e3056d496b5

      SHA512

      2d6f5ca76b7c5bac52b0eeebfc3b60d9d364a8b6112c2d149da6a55635056814aefe152ba6bed68d88756414d3185517aec1702aae5f8c8b5a97195a53231170

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\_desktop.ini
      Filesize

      9B

      MD5

      e2a14c19421b289cbd51a76363b166bd

      SHA1

      5d0621d68da5a444f49c090b0725c7044d47fdb7

      SHA256

      844af243be560dc4e478aa7ea28f4959f9df45f204006bade7ae52398d651835

      SHA512

      8c49bec05605c4d2b8f07f00a7a39e70f5bd4f7c84ba221c615447f947053bf3bb0496c38e2bf8b15235c493cc5a0b41f34285fed1adb4c13572f25b67e178e5

      Download Submit

    • memory/1228-29-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2216-31-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2216-39-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2216-45-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2216-91-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2216-98-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2216-331-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2216-1874-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2216-18-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2216-3334-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2972-0-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2972-16-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download