Overview

overview

10

Static

static

3

ea2bfa8b4a...49.exe

windows7-x64

10

ea2bfa8b4a...49.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-12-2024 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea2bfa8b4a21ed0d5a9007e8697fbadbcd374ab0c8de1e065afe13bea621e149.exe

  • Size

    137KB

  • MD5

    6328dc3740cb460bbeb01f9e1f8c3a96

  • SHA1

    75727567341a0b2c441344f60a0b544b68a6212b

  • SHA256

    ea2bfa8b4a21ed0d5a9007e8697fbadbcd374ab0c8de1e065afe13bea621e149

  • SHA512

    6563a6b984280b45fcd77a45c629136b9e21b86e9bc7c5363b6a511ab03c711028198d77cb855829f439dafd9b162255d4a36297e74c27af6057e960c28eb90a

  • SSDEEP

    3072:zmftffhJCuU9Cw7vFoF3M9Z8oU8HGROzoTq0+RO7IwnY:KVfhguMCysgZNYkdNwB

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3492
      • C:\Users\Admin\AppData\Local\Temp\ea2bfa8b4a21ed0d5a9007e8697fbadbcd374ab0c8de1e065afe13bea621e149.exe
        "C:\Users\Admin\AppData\Local\Temp\ea2bfa8b4a21ed0d5a9007e8697fbadbcd374ab0c8de1e065afe13bea621e149.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3484
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9114.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4316
          • C:\Users\Admin\AppData\Local\Temp\ea2bfa8b4a21ed0d5a9007e8697fbadbcd374ab0c8de1e065afe13bea621e149.exe
            "C:\Users\Admin\AppData\Local\Temp\ea2bfa8b4a21ed0d5a9007e8697fbadbcd374ab0c8de1e065afe13bea621e149.exe"
            4⤵
            • Executes dropped EXE
            PID:5004
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 188
              5⤵
              • Program crash
              PID:1152
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2604
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:972
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:840
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5004 -ip 5004
      1⤵
        PID:2896

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        Filesize

        244KB

        MD5

        6de96b5772a2c60fcf7079e3aed70290

        SHA1

        ad3652a35d14523c953d9024e1749d113afe535d

        SHA256

        3aa65af27c44381b5ff6fb52e02c432bad09d8eecffaf7574493a37e721d2495

        SHA512

        5d98608d8a000a276646b23cce8379c8db6c639c982d42aa817930947c475403d0cbbf6ed9c02822d57a64f4c1400db8a8f2e99c6b1c82d7418c9c24b5ac19f8

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        570KB

        MD5

        d86135ba65a903ea9752fa18663bf2c7

        SHA1

        dec95e10ce9eab4809839a9cf173d43e98982515

        SHA256

        7a8ca8663432023de33793d158c968426c9a802b6a790af44389a3fa77589d5d

        SHA512

        c47c3564d86f6debba6ecfb6b70219e08feb4fa466d9467e16f946188a53e3c1424568665bd6dab22aca20ac8d6feaacc565ee2497be41a0ae7dc072f398a67c

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        636KB

        MD5

        d82ffc872aed7c85cf936dcdcc2e6372

        SHA1

        50ca56cb4a429ce1532afaa2732f61833fc2b54f

        SHA256

        a487733710d946abff1a93a23ae6bbafd6c0800bc78e4d5e3cac36e2a14ddace

        SHA512

        0b0031418275c6be01f7757111058cd5bd3e5f4862e0631e2e28c5e7ffbb271446abdc2a88a7953ae55112799bc4a051becc2b14491e0d1760e336498665cc8b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a9114.bat
        Filesize

        722B

        MD5

        79ebe8809587163bbd74f9a52e6cfea2

        SHA1

        7cf596aa7089841fe7219847bfb10d3433dc0ec3

        SHA256

        77726b16d9732d358edbfe603c7d038cfd462c9e6be3801940bc5706b8ea91d4

        SHA512

        76043e65ec800545b1aa0bf79290b579bacf3f6f3ff180f5159ec947598826e5e25eb23a49c1b3fd5e1374ae73189ebd724d4e68b6c9bc59a9a7877bc35764b6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ea2bfa8b4a21ed0d5a9007e8697fbadbcd374ab0c8de1e065afe13bea621e149.exe.exe
        Filesize

        110KB

        MD5

        749d138bd977a5203f247af04114c7e7

        SHA1

        f1eacebca8c924515dc08b436eaff21102053836

        SHA256

        54a93e2f5dafb967e5479fac62c07528e3b031077767ded757c15ef125d73e1e

        SHA512

        e1138ff6531895b313c8e18f8b6cad5015e0ac4eb19bf0f0d23081fbc5840dd5b45f017e42d64a003a44dce742883b73ee22a4a48d76741064d0582344aaba97

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        1d9a03b6bc232d9d72b32eb0219ddb0d

        SHA1

        cb500e2dd58475f872075b05182ee5c3dbda866d

        SHA256

        6176b6ea8fd27d25a4532882e0ba49ec64d5dd6df1b99e525341f97cd1dd4297

        SHA512

        9f7086101b6073424ac437534b7cf9e9fadd02eba89e12c94bae7ff4d2276ba56f75d638cd046daf989e9adbe1f36342ff89775bfe1f3a3e8875621df23aa055

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3756129449-3121373848-4276368241-1000\_desktop.ini
        Filesize

        10B

        MD5

        35c7be4353b2c3d1476bdebcb8e596d4

        SHA1

        de770cbb35d93e9150dd204d9649ca4de42b4663

        SHA256

        59a20d5f7a1a99b8aabad5abbb9a84844abac382745b3da63614d105a7696866

        SHA512

        23561726b3e219f2eeacd5a079a9e9d2d369bfebfc3d11870c8d9e5f107053a680500cb386a896c19b262ea0332eb7e21951367c06662068ee764c8b5db2e575

        Download Submit

      • memory/2604-30-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2604-22-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2604-36-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2604-40-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2604-826-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2604-1237-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2604-4788-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2604-8-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2604-5261-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3484-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3484-11-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/5004-20-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/5004-19-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download