Overview

overview

7

Static

static

3

d81027e415...e2.exe

windows7-x64

7

d81027e415...e2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-10-2024 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d81027e41501c7e8f97b1f5653b816ffd3b0c0ca2a706c61a0a959c877cb55e2.exe

  • Size

    168KB

  • MD5

    56d6894cad03e4beebcb52881b5a00d6

  • SHA1

    b23ce0a18492a99214ebeae061f706fd3e62066b

  • SHA256

    d81027e41501c7e8f97b1f5653b816ffd3b0c0ca2a706c61a0a959c877cb55e2

  • SHA512

    49f64c412a2746f5b7b42a89fa071c6358e698821a377f7bfa0cedb6cff68386ede82afe467392c0535dfd1489561774a7c0c324f3d46539107713e656c1c3d6

  • SSDEEP

    3072:pAkuJVLUbFnBS1RkLRXo1ID0NBi+fgKwJP:7uJSbFnBS1R8gq0NBi+fk5

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1232
      • C:\Users\Admin\AppData\Local\Temp\d81027e41501c7e8f97b1f5653b816ffd3b0c0ca2a706c61a0a959c877cb55e2.exe
        "C:\Users\Admin\AppData\Local\Temp\d81027e41501c7e8f97b1f5653b816ffd3b0c0ca2a706c61a0a959c877cb55e2.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2936
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a784B.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2748
          • C:\Users\Admin\AppData\Local\Temp\d81027e41501c7e8f97b1f5653b816ffd3b0c0ca2a706c61a0a959c877cb55e2.exe
            "C:\Users\Admin\AppData\Local\Temp\d81027e41501c7e8f97b1f5653b816ffd3b0c0ca2a706c61a0a959c877cb55e2.exe"
            4⤵
            • Executes dropped EXE
            PID:2628
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2728
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      254KB

      MD5

      575ff180a27de35ec36af19aa4ed6e66

      SHA1

      b3d71c10d88af12956ceebe984e9523523397a19

      SHA256

      9b1df12519b89778f94ee6cc4e135eac2aeef6466587b09a2e8d90c69e283e2f

      SHA512

      3322cee41c580d79a62031ae77b81c346cfb3577d3b960edaecbdca1a5e862a8c2e0ef60da66d339a8285b204c7917f83d24b1c524df73f510820535b7b3db6f

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      474KB

      MD5

      fa2fdaa379bd3cadb1c742596d15cd21

      SHA1

      acde37ebbb6e0b7168ee3ed03c1098ba1ddc3826

      SHA256

      16825fdfe8f416651a17ff2b21867a125f622e4efd7cd3547ecc24542886015d

      SHA512

      f5af57ac6dfc99b9a346563e906ef7817920635619265efa20e428aa9a6ec7914e8bc16458e43915d64107e280d417bca319f66665df74c8cf63bb2d0ea850aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a784B.bat
      Filesize

      722B

      MD5

      0a062359b79faef364832303d0e8858b

      SHA1

      02590a6650fba9a7af9841c23b35ba49e5baa930

      SHA256

      9dbac8becf8034d073e21f0fcbe52deff0560fdd9cdf7d4777f33d09e5c54e55

      SHA512

      b03d695e564f9036d30365060e305428a445dcb4f08997f9d69b30c68a4c58adafc326be7558e4cdfb8f82a906c7890c788d000809014af96f01ab22f6fee6f4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\d81027e41501c7e8f97b1f5653b816ffd3b0c0ca2a706c61a0a959c877cb55e2.exe.exe
      Filesize

      138KB

      MD5

      b51fb63223915f23c60adc580c9a0531

      SHA1

      a22bf33ac2769c31c922c45f314b4d6e42ed77db

      SHA256

      b9eace03c8471717e3f98873527005dbd9a92367b954f8c48484d2b7b78efbac

      SHA512

      cd72aac2128c48c34568db1ac7b33e6934f31f473278426ef2acf9cd4df545dea8424bedf79340eb74a966ce39a3a7d9910fcbe456047d83330c62761644194d

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      29KB

      MD5

      b597a8fe712fc5bbf5cdfc3c601aaccd

      SHA1

      c9d85f8c12bb53976ffb8054ec04f98aa582c386

      SHA256

      46b3f5e82795e0730bdaacbe6ddb2100ff8cc506dd96b895beceef106dfc18a4

      SHA512

      af3f75224d8217e171f537aab78b0c4bb2b54612d0e5b33fb26c24305d44df7f641c3161bfd439aaeac421c2d4df237e6170a9dd27b86e1dddc517b1213c5298

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\_desktop.ini
      Filesize

      10B

      MD5

      52a225cec34530c05c340f9ae894aa31

      SHA1

      d6553bc25b5bc40447184e9dd520dd7c88f5c2aa

      SHA256

      bddf98f152ff77575c277b91c8f7aa5f69973cd3bfe7aa55ebe61b7d3df17fab

      SHA512

      726f8a96e3dab9ec548bda81a01dc3e0d93afa2363c76c4bf639de4b0471f8a43a8e32e90b230b95639e82b7daa8da3e8d9c848755e2b58398aa48e46e5ba5b5

      Download Submit

    • memory/1232-30-0x0000000002D70000-0x0000000002D71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2708-91-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2708-32-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2708-39-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2708-45-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2708-98-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2708-292-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2708-1874-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2708-3334-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2936-17-0x0000000000220000-0x0000000000256000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2936-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2936-18-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2936-12-0x0000000000220000-0x0000000000256000-memory.dmp

      Filesize

      216KB

      Download