Overview

overview

7

Static

static

3

32a95e71bf...86.exe

windows7-x64

7

32a95e71bf...86.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21-09-2024 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32a95e71bfdb526b3cebf2c26d8e362b0cafad36ce2df6c8939b67d328639086.exe

  • Size

    35KB

  • MD5

    02cfb4130187dec11bd92eff544d2ac1

  • SHA1

    e22a42564e6a8e93d8e54dc25f47f05616b8efe6

  • SHA256

    32a95e71bfdb526b3cebf2c26d8e362b0cafad36ce2df6c8939b67d328639086

  • SHA512

    3599b027f199369857944b33fc1d179874c5b58b539cafb1139d90647f373c4348e7476a2062bdc83c6a9986e11306bae6deb6b2e52b8dc774618f3e79049e80

  • SSDEEP

    768:V16GVRu1yK9fMFLKaTxsujCT7pZpY04O30pG2a:T3SHmLKarIpY04G9B

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\32a95e71bfdb526b3cebf2c26d8e362b0cafad36ce2df6c8939b67d328639086.exe
        "C:\Users\Admin\AppData\Local\Temp\32a95e71bfdb526b3cebf2c26d8e362b0cafad36ce2df6c8939b67d328639086.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2276
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF2C8.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2692
          • C:\Users\Admin\AppData\Local\Temp\32a95e71bfdb526b3cebf2c26d8e362b0cafad36ce2df6c8939b67d328639086.exe
            "C:\Users\Admin\AppData\Local\Temp\32a95e71bfdb526b3cebf2c26d8e362b0cafad36ce2df6c8939b67d328639086.exe"
            4⤵
            • Executes dropped EXE
            PID:2708
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2664
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2076
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2776

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      252KB

      MD5

      f5826cfacc154e7aa6fb97de70a4912e

      SHA1

      cde823973e10dc87d7c1a5f3e7d4faba93822b54

      SHA256

      f39116637559db2465b3cffccac76003c004398460f60301a77d5e5df5d2ec57

      SHA512

      0e13ef0f841062bebf1f12f293ad38eabce246d98ee391adbd8a33dd69ce61a1c13709cb95edd9e39171943c79c8f7bb0357e6c3101b65bb62306825917a7bae

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      472KB

      MD5

      88eb1bca8c399bc3f46e99cdde2f047e

      SHA1

      55fafbceb011e1af2edced978686a90971bd95f2

      SHA256

      42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

      SHA512

      149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aF2C8.bat
      Filesize

      722B

      MD5

      b10f2c2bc884dfe35c0fe4e36056a2e3

      SHA1

      5d6b90b35c86fc85fe5c3b1883d5dafcea7b7347

      SHA256

      f1fa3d83319c246c330fc335670b5903cea085c83f7275792490f13800b091bc

      SHA512

      821eb22ea06b04d4e488b93fb401fad1f7854d50d8923a359f9838d564f29b3dcf55ea68febb6b6ed937b52e4e855ec89ce0a295e2274ba4eb50bd65670382de

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\32a95e71bfdb526b3cebf2c26d8e362b0cafad36ce2df6c8939b67d328639086.exe.exe
      Filesize

      8KB

      MD5

      5243ae7347809960a907a4494807de00

      SHA1

      b40e0a218cf9982a3f546fa004e60e428d1bd7fc

      SHA256

      ed9c09c62b604d67c46027c4a3fb868a8d89a30ba299a35c47f0ffed690c36c9

      SHA512

      758b40e36b3037d40c1f4ec3426fc14c2b622af864f59a077309041171709f9d2c2ba25241eeeca1e0d6d767a328ab91e00c8bd114ae4fd4e599a9874ec5b60c

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      27KB

      MD5

      c1e93a00c76fe9038279108132881b11

      SHA1

      db99e99d49c3ceec5aa5181573456c486696dd2a

      SHA256

      7c29108cb820ca23779c64a8e419596bf53578df1329e8c4abde530daf8b0d5a

      SHA512

      77c0e401c1a1782ee96c7f7f58748f898e8e7819952c81b04087c0dbc765b7e0b9591b8e17589a17ace293719a935525d79f376db53c9a82c3fc3f16dbc893b5

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\_desktop.ini
      Filesize

      9B

      MD5

      5412111268dd2c1fb1cf8697bfab9b6c

      SHA1

      16d0b289e83c74cb50a004edd7c5750ac706f321

      SHA256

      f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

      SHA512

      13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

      Download Submit

    • memory/1196-29-0x0000000002D60000-0x0000000002D61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2276-16-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2276-0-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2664-31-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2664-38-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2664-44-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2664-90-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2664-97-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2664-379-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2664-1873-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2664-3333-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2664-18-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download