Overview

overview

7

Static

static

3

90647d1e5b...2a.exe

windows7-x64

7

90647d1e5b...2a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31-10-2024 08:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90647d1e5bc5abef414d1b4ae8ef3cc4855a1456202229b621cc554bd8b7b02a.exe

  • Size

    98KB

  • MD5

    68eef72f6e7db681bd6ecde8e66284df

  • SHA1

    f53438226cee27773bfdd953a6c615c7abf34401

  • SHA256

    90647d1e5bc5abef414d1b4ae8ef3cc4855a1456202229b621cc554bd8b7b02a

  • SHA512

    75e7742724c1d650b3300e12e0763bff527e7d8bc721bb755cb77cae9d2b2695f865503adf6e47d3f8c6c3052137c875cd5b7e12ba393b49f4fd6eb6ef190a88

  • SSDEEP

    3072:pjkuJVLlBJu2A88ElzYyNhZk1EJZf++pufg5s:GuJlzYw5Kq5s

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\90647d1e5bc5abef414d1b4ae8ef3cc4855a1456202229b621cc554bd8b7b02a.exe
        "C:\Users\Admin\AppData\Local\Temp\90647d1e5bc5abef414d1b4ae8ef3cc4855a1456202229b621cc554bd8b7b02a.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a955D.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2428
          • C:\Users\Admin\AppData\Local\Temp\90647d1e5bc5abef414d1b4ae8ef3cc4855a1456202229b621cc554bd8b7b02a.exe
            "C:\Users\Admin\AppData\Local\Temp\90647d1e5bc5abef414d1b4ae8ef3cc4855a1456202229b621cc554bd8b7b02a.exe"
            4⤵
            • Executes dropped EXE
            PID:1940
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2424
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2220
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1544

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      254KB

      MD5

      78843da8f30797c7e99e58214267f874

      SHA1

      9e4845871e797277ec74fd3334a872065e436556

      SHA256

      96e050efc3859f010c2a482d8a7fd0c07c22570ae0b91b37c9efdf5198134e61

      SHA512

      32eb69334be5db065e335ceff9f4fd2e116d1b8604dea26c922d1893563a872e3af4434f675927a1643dccf872eb435b54ac3f27ff79c65c3efece6354306c3a

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      474KB

      MD5

      2faaad87f08521fcc8daee0d433d478b

      SHA1

      a75b87049a6c122b921f66cddeabb12502857a2f

      SHA256

      70546de82df8bdbcd9022e1bd74a8f50d61dd19532aeaa32a69582acda025b25

      SHA512

      1dff24a69a25f323075c8553c643c1b5bbe83a5c6d975467dabd6027ff48d0c9d0cd06ecdbf6b6a5f97a060e0353eb31898d66a9e1adcc5497e05bac06566f27

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a955D.bat
      Filesize

      722B

      MD5

      c96c6649c5f9fe38fd2d7f19bec7b1a2

      SHA1

      96433e05569b463ea6271d28946ef325fc66ebdd

      SHA256

      26a85f9b57e7735b883d46d08084cb0c8039054951bb4842e9ca52bf4dae6400

      SHA512

      a0a17e35f746c29f77d0df991a5283444df5c5dea20f8e541636ab139bf117886988dea840e43f3257e9a0948361ff61025cf00463c502b00de0b48c67a843a6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\90647d1e5bc5abef414d1b4ae8ef3cc4855a1456202229b621cc554bd8b7b02a.exe.exe
      Filesize

      68KB

      MD5

      0cafef40fa8905f2001dd019140d6440

      SHA1

      3ef1a11c803c0b0e1d4c9ee1f049a98ca538524a

      SHA256

      7b9fcf4d30c5dd337bb7b46b077e400bea0caae56d69899b1441ac6cac6155f3

      SHA512

      06486241c46be7e0f83716cb944d2281d8e0856bf818aaa5e98cc3a04917e20dc247b03076d5a2f51d3d102d0aac3611860b77483ef1cecede99401395e59f05

      Download Submit

    • C:\Windows\rundl132.exe
      Filesize

      29KB

      MD5

      7a40ca98824decf9cd5833327cc00541

      SHA1

      2d499bbdb969dfd75795a24250d530bb70220106

      SHA256

      2177d280001b67dbf89342b11a421028050b90e50b7cee96186d258c66a62115

      SHA512

      bf9fc1fad0ffddc4561378cfcf777ddba9e736a796db590d3c7578800041afc08ab18c0698fd9816df8411b5b3c02bd914e6afcb37aeaf01f466acafcefe03d4

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2039016743-699959520-214465309-1000\_desktop.ini
      Filesize

      10B

      MD5

      688d58fa5756a393f9472937ef284c25

      SHA1

      18ee07a5ee8de4fbd046763cd4a55ef2e6c3f808

      SHA256

      e21f27bdf2d90c77d75658b5217d5af4519a6c1bfc326a109eb4a085a2b83302

      SHA512

      c84930eb323c71ffc1edac543a2f60e366de40b39a88b18dba09c1272fae0b12262f4fae496bc9546598507fc37729d829f93b101bbec4739a05be33e0010a3f

      Download Submit

    • memory/1192-30-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1656-16-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2424-32-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2424-40-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2424-46-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2424-92-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2424-99-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2424-277-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2424-1875-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2424-3335-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2424-18-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download