Overview

overview

7

Static

static

3

bbe80cbc26...a7.exe

windows7-x64

7

bbe80cbc26...a7.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/10/2024, 06:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbe80cbc26afe601c9872ec8b73abd419d584d846931b22cc39b28bec87e24a7.exe

  • Size

    959KB

  • MD5

    5358b95179aeda8763370ed2e94ebf4d

  • SHA1

    fb2917d7fa2fdf40150669df7579921901f57eb6

  • SHA256

    bbe80cbc26afe601c9872ec8b73abd419d584d846931b22cc39b28bec87e24a7

  • SHA512

    6b8a4ce3fb70fd8ad559cc2cb88462c0a155d85d54b251c3a46fcfbd2d455579bce7bf211cf1ac93fbe667aa55fb7f97b368ab11377384d53f9906b6a000ba28

  • SSDEEP

    12288:kRKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:JBpDRmi78gkPXlyo0G/jr

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1180
      • C:\Users\Admin\AppData\Local\Temp\bbe80cbc26afe601c9872ec8b73abd419d584d846931b22cc39b28bec87e24a7.exe
        "C:\Users\Admin\AppData\Local\Temp\bbe80cbc26afe601c9872ec8b73abd419d584d846931b22cc39b28bec87e24a7.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2508
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a85F2.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2384
          • C:\Users\Admin\AppData\Local\Temp\bbe80cbc26afe601c9872ec8b73abd419d584d846931b22cc39b28bec87e24a7.exe
            "C:\Users\Admin\AppData\Local\Temp\bbe80cbc26afe601c9872ec8b73abd419d584d846931b22cc39b28bec87e24a7.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2872
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2264
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2728

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      254KB

      MD5

      9ae223947a503e976e1edc7875d53c72

      SHA1

      fb15a478dfd690204c2584a9c2a1bc264995cfac

      SHA256

      f597c0c63f5e46aafe0f0268ca163aeb7b0b6695d73042397e45f2063d64f23e

      SHA512

      cd94c5e526d86fa376c95500c2886d487a057cdc071c3bdb99a43b0ff2637829b813b7826e09d9cc05ce7ead2dc42102a809ab644e3dc61230eeae151455a8c8

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      474KB

      MD5

      534b3a473ca3d525541b1289b316404f

      SHA1

      c1e408bf066852bc1ebdbb3a9e835932e3e7bb72

      SHA256

      f9719cc66a7a6dc9ff57786e474a1868b6696b4468dfc0f915533acea44291ca

      SHA512

      99b77d6860209d482448490a6afde3d3144c8ca1a838d97de66c758f9ebab8b21a51f3257cd7b191cb4f254ba2f04ae69a8b5f29a9c95d768d400fb5e8f1e330

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a85F2.bat
      Filesize

      722B

      MD5

      16e0b7fed9647279ef8a4855ffb97139

      SHA1

      46070319dcfe4ea0dd63acefa4c33a26754a2a75

      SHA256

      0a051f5a7eae76b5b59ac2f2ead2434de7b69b23919324ca4399f9e5c25b13f1

      SHA512

      0e42a3ebd6f50346fdd8d80366987ac48c30bff223e59694464034f6e9a4fbf41cc143e5d640e15c840b141aa0da4181b0ed91e94401754b4ce1171e186dfe9e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bbe80cbc26afe601c9872ec8b73abd419d584d846931b22cc39b28bec87e24a7.exe.exe
      Filesize

      930KB

      MD5

      30ac0b832d75598fb3ec37b6f2a8c86a

      SHA1

      6f47dbfd6ff36df7ba581a4cef024da527dc3046

      SHA256

      1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

      SHA512

      505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      29KB

      MD5

      4c513a4884d5671553b53e59a8c5149a

      SHA1

      57afa0c2f1936a9adc9ddcb007499472a8a37d6d

      SHA256

      0413d2f733470a6ae51171bd9de1abe1034020f8951e2c9c10156188471f3df3

      SHA512

      2ac965599f0d154c1af515bd102436247fb8a83f0b34d0d01cde2d2063802d07258b0cc022e04f62eb06e5c983ff0ee2df4e727a0214f930ecc9b9e7be4a7924

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\_desktop.ini
      Filesize

      10B

      MD5

      1603436fb34d76c51d66ab1816519131

      SHA1

      3d5dc4ccfe3cc992c253dccfccf66ea727f66bf6

      SHA256

      9072a674ab684ff3ef851bf4f0fdc4118d2bcbe765282f38f3f6de4360057d60

      SHA512

      30d89b59822313e4b281b8f63b959f36262b2b948cf38e6389e9a1a7517c7c239349a41de9e35c8cd27d6b852ab5349206c2fb85b631dc59fab5421d997dbd46

      Download Submit

    • memory/1180-30-0x0000000002B30000-0x0000000002B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2508-16-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2508-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2540-33-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2540-40-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2540-46-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2540-93-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2540-100-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2540-450-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2540-1876-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2540-3336-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2540-18-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download