Overview

overview

7

Static

static

3

aad1d40b55...7c.exe

windows7-x64

7

aad1d40b55...7c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2024 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aad1d40b55622d3a289724bc4c370740b296a65d7fd64b50b90518515fc8277c.exe

  • Size

    225KB

  • MD5

    4645e59f9f036466fee7a607484d6d22

  • SHA1

    96ad6aa9d409cb46f8492d62fdfe459bf732528d

  • SHA256

    aad1d40b55622d3a289724bc4c370740b296a65d7fd64b50b90518515fc8277c

  • SHA512

    39b38a93f477a4ab7f2156fa3ddccdf5b120eda640124bef35d127e5b50b9dd6e8213a3871d5546186be310a668ac32ab80e3f03ab8b57395cd41847d882f527

  • SSDEEP

    6144:POFpkdeKzC/leySe8AIqpoHbnDns1ND9m:Popk/VyV8hEoHbI3A

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3524
      • C:\Users\Admin\AppData\Local\Temp\aad1d40b55622d3a289724bc4c370740b296a65d7fd64b50b90518515fc8277c.exe
        "C:\Users\Admin\AppData\Local\Temp\aad1d40b55622d3a289724bc4c370740b296a65d7fd64b50b90518515fc8277c.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7F90.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3948
          • C:\Users\Admin\AppData\Local\Temp\aad1d40b55622d3a289724bc4c370740b296a65d7fd64b50b90518515fc8277c.exe
            "C:\Users\Admin\AppData\Local\Temp\aad1d40b55622d3a289724bc4c370740b296a65d7fd64b50b90518515fc8277c.exe"
            4⤵
            • Executes dropped EXE
            PID:2240
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4144
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1404
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:836

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      244KB

      MD5

      0d8e4b615212d76312cd6603038e6850

      SHA1

      b4a8ff5f7b960b7875b8f67865f2aff4b99a3fb0

      SHA256

      e590a7d96dc085099aa75433056502c390a7c0e286f2d235869439b14d5e324c

      SHA512

      78d8f3fcacae44ec1b8a51ac37fd932c4be832fe88b842eaff14ac1a5952394ce8b370a03453f5db1e6479ae7438682cd6e2e8b69e8e554ef3638a3c923932cf

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      571KB

      MD5

      0f33a50ab70e16ec93c7b25919a29437

      SHA1

      9e846997bc245034f3cb7be797a4ba0401fcc84b

      SHA256

      7a9a23e5419dd2307c1943ca1d388ca05ca96ca79306829b0a099f564efbcbeb

      SHA512

      952d9fde1ab86b5dd0336a38813067be429109460744245d5818b576cf803d6d547632e91fb9cceb7dd0a971b49a9ee7afdf105f7f97e6b7ac73fa375e2adec9

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      637KB

      MD5

      9cba1e86016b20490fff38fb45ff4963

      SHA1

      378720d36869d50d06e9ffeef87488fbc2a8c8f7

      SHA256

      a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19

      SHA512

      2f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a7F90.bat
      Filesize

      722B

      MD5

      4f1928d841dee0165febcbbddc761908

      SHA1

      9ef7876f06583e2921c8d6ea9e3ac43273177420

      SHA256

      e890b515493b67205780cb8c85a048d05bbc3135fc5a6b4b1e37e2adc1074483

      SHA512

      b3a5776f0893a6afc8ace612dcd988c77ee19f54a1d9b92d74d19a484e5b28256bc900054327ba1a00ce4da726ba2e7ac148da93cb7f7d4377cb773752475184

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\aad1d40b55622d3a289724bc4c370740b296a65d7fd64b50b90518515fc8277c.exe.exe
      Filesize

      198KB

      MD5

      e133c2d85cff4edd7fe8e8f0f8be6cdb

      SHA1

      b8269209ebb6fe44bc50dab35f97b0ae244701b4

      SHA256

      6c5e7d9c81a409e67c143cd3aed33bddc3967fa4c9ab3b98560b7d3bf57d093d

      SHA512

      701b7d1c7e154519d77043f7de09d60c1ff76c95f820fc1c9afca19724efb0847d646686053354156fd4e8a9dab1f29a79d3223f939a3ff1b3613770dc8603b1

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      27KB

      MD5

      28f7618d6ac7640752f28eff279db335

      SHA1

      371175b345ec827c8ba1536e56b6207fad8d0341

      SHA256

      0d22e6b659c65ab784a4b55ac616ed96ca73b6e53c5258a5b62f2e3056d496b5

      SHA512

      2d6f5ca76b7c5bac52b0eeebfc3b60d9d364a8b6112c2d149da6a55635056814aefe152ba6bed68d88756414d3185517aec1702aae5f8c8b5a97195a53231170

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-786284298-625481688-3210388970-1000\_desktop.ini
      Filesize

      9B

      MD5

      e2a14c19421b289cbd51a76363b166bd

      SHA1

      5d0621d68da5a444f49c090b0725c7044d47fdb7

      SHA256

      844af243be560dc4e478aa7ea28f4959f9df45f204006bade7ae52398d651835

      SHA512

      8c49bec05605c4d2b8f07f00a7a39e70f5bd4f7c84ba221c615447f947053bf3bb0496c38e2bf8b15235c493cc5a0b41f34285fed1adb4c13572f25b67e178e5

      Download Submit

    • memory/2888-8-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2888-0-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4144-26-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4144-36-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4144-32-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4144-440-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4144-1233-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4144-19-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4144-4784-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4144-9-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4144-5229-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download