Overview

overview

7

Static

static

3

8924bbe5bd...32.exe

windows7-x64

7

8924bbe5bd...32.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31-10-2024 08:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8924bbe5bdf9e3b378dd6d4dfa9df15b16d87b7560160ff4527c00ae119af332.exe

  • Size

    77KB

  • MD5

    3b1c642edd290c457c15e7bc3d7f94d8

  • SHA1

    34d829aa65e40b5b0676576f1a742c6c55922c4d

  • SHA256

    8924bbe5bdf9e3b378dd6d4dfa9df15b16d87b7560160ff4527c00ae119af332

  • SHA512

    83c801371d1e34831371133a95c30234f6861654f178d79ee24e43643a0d36ef64f65c29d7c9766956c8f8549a30d94f8ab8b41637b35a62c0856b3a6e66cf8f

  • SSDEEP

    1536:IKufgLdQAQfcfymNQtxh7mnJAOMWajiWKu4l:gftffjmNc7tdXji6G

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1180
      • C:\Users\Admin\AppData\Local\Temp\8924bbe5bdf9e3b378dd6d4dfa9df15b16d87b7560160ff4527c00ae119af332.exe
        "C:\Users\Admin\AppData\Local\Temp\8924bbe5bdf9e3b378dd6d4dfa9df15b16d87b7560160ff4527c00ae119af332.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE80E.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2416
          • C:\Users\Admin\AppData\Local\Temp\8924bbe5bdf9e3b378dd6d4dfa9df15b16d87b7560160ff4527c00ae119af332.exe
            "C:\Users\Admin\AppData\Local\Temp\8924bbe5bdf9e3b378dd6d4dfa9df15b16d87b7560160ff4527c00ae119af332.exe"
            4⤵
            • Executes dropped EXE
            PID:2716
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2692
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2744
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2564

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      251KB

      MD5

      72b364e25e62ebb14efd069eda9ad0a1

      SHA1

      448346e16a5d373f023af542cd718c36946a9f6c

      SHA256

      40b32314a7db06d42cd04da4084d98add9cbe31a9e695c82634236e7ccd73818

      SHA512

      c3864ab00b781a235bbdaa24beefcecf88d31c6b737b637bbd35150689469d57836266b84ef8364d0e86accd2fd86a8eab72b23ac387da5609af354402e3c85a

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      471KB

      MD5

      4cfdb20b04aa239d6f9e83084d5d0a77

      SHA1

      f22863e04cc1fd4435f785993ede165bd8245ac6

      SHA256

      30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

      SHA512

      35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aE80E.bat
      Filesize

      722B

      MD5

      185162dcbae59e45e0f2bc2cd0d586fc

      SHA1

      a422dd75f9d2408fec92fea1aa11954c73b6f672

      SHA256

      a5977c5f487728d60d9ca865bae8ea2f796aacb7a5897314f5afbed20b2e080d

      SHA512

      ffacddfbe8d98dfcaaa0c811e463eac317c261c173e7e1b11cbf71cd183b16e464dbdb6967c90c04ebc83eee39648c3110f75317807cc5eeded9cc38fdd9ca8b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\8924bbe5bdf9e3b378dd6d4dfa9df15b16d87b7560160ff4527c00ae119af332.exe
      Filesize

      50KB

      MD5

      24cbac7dd7547358d199bdd0ce75fcf9

      SHA1

      d9515ab2c4324eb889eac13e28021d50bbbc1c6f

      SHA256

      62a42690f89996010d7b42a090f7f0873aeffbe8325a3ca76477aa8b11f5bb98

      SHA512

      db29ce85dc4b5b93aebea5dc6bda6fd563f6ba688c6f42d40b8788bd020d23191e1501d89f8201b8106d8dc0c1e07e7244792761664bc2c6aa8a85a85c8a3dce

      Download Submit

    • C:\Windows\rundl132.exe
      Filesize

      26KB

      MD5

      f676cd4660f256211a6586e02b66b916

      SHA1

      9fa73fd6cfbe4a4630a10d8384d7dc7ca1c86e9b

      SHA256

      00650a49c505eb5e6aea23737df3f4ed9d7725c4dfa7d096445d38a9b2603886

      SHA512

      edc4ee02ff43407def336504187f78d600470194978deb67a31baf57d23c4557ebe52700b896e750be17187a7619e3cbd8642ed501a4736d547ce546c3400fc0

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\_desktop.ini
      Filesize

      10B

      MD5

      688d58fa5756a393f9472937ef284c25

      SHA1

      18ee07a5ee8de4fbd046763cd4a55ef2e6c3f808

      SHA256

      e21f27bdf2d90c77d75658b5217d5af4519a6c1bfc326a109eb4a085a2b83302

      SHA512

      c84930eb323c71ffc1edac543a2f60e366de40b39a88b18dba09c1272fae0b12262f4fae496bc9546598507fc37729d829f93b101bbec4739a05be33e0010a3f

      Download Submit

    • memory/1180-29-0x0000000002A90000-0x0000000002A91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2688-16-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2688-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2692-31-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2692-39-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2692-45-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2692-91-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2692-98-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2692-316-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2692-1874-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2692-3334-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2692-18-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download