Analysis

  • max time kernel
    154s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 00:28

General

  • Target

    440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe

  • Size

    169KB

  • MD5

    027df46b9411263717ef91b5e8608820

  • SHA1

    bdafedaed9c6ab83ec739f98bf638e80b555294a

  • SHA256

    440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba

  • SHA512

    82f2d347b0b1129f15749e05abd83604a231f35aef288c42b8fd15a12b28c9c36c024346b4bcc0b6fc0a63e59dbca56644e722b1910616ab920fe27142d8ef73

  • SSDEEP

    3072:IVe+aX3zveyNIxq/iVo/MfafRUwFYC5TBf/2Fa9Y3zQOwNnYcVBPPy6t:5+aX3LVOx7Vo/Ms5TB6MCzQOwNnYcHKc

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:684
      • C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
        "C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4288
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5012
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4696
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA84B.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3264
            • C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
              "C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe"
              4⤵
              • Executes dropped EXE
              PID:4280
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2884
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4932
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4824
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:5060
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1288

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$aA84B.bat

            Filesize

            722B

            MD5

            b15922540d505bcba09fb07ac0fe9de8

            SHA1

            02b5b09575f8090ca879b956b9975144e1356735

            SHA256

            6a78123d695cfd630cb56d691888ca01a3a9fd453ebbe9825b103beef28854a0

            SHA512

            b33be6be42b1b58a51348d4d8ef27f5175cbe37929a021a56050faaadd301076f6eefac9bdc6dd2a719dcb51065dfcef858e1a6153689510b0e17cfbd271c61f

          • C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe

            Filesize

            135KB

            MD5

            41b81620620326b1839a9da43f343cdf

            SHA1

            6bd246cbe4bd1d68e03174ce30ff8fd9a79f8d3f

            SHA256

            1f92d1b7e3de8ddbd6611b3abba3af464d9aad06f5326b288b2d27ffcd6412a7

            SHA512

            6f3270b4d895dbd62608d9c381d3c327c01a99f17b0b4f3a4e50af1f9b233790e1a148ed34b2ce6842d16083cba25f5b535e65a12849eb47565b52b8b188cbe3

          • C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe.exe

            Filesize

            135KB

            MD5

            41b81620620326b1839a9da43f343cdf

            SHA1

            6bd246cbe4bd1d68e03174ce30ff8fd9a79f8d3f

            SHA256

            1f92d1b7e3de8ddbd6611b3abba3af464d9aad06f5326b288b2d27ffcd6412a7

            SHA512

            6f3270b4d895dbd62608d9c381d3c327c01a99f17b0b4f3a4e50af1f9b233790e1a148ed34b2ce6842d16083cba25f5b535e65a12849eb47565b52b8b188cbe3

          • C:\Windows\Logo1_.exe

            Filesize

            33KB

            MD5

            1f5204f508b53f2c6c29023102ece203

            SHA1

            02bce63bdf6c0c9e7730327bade2ba4800dd8598

            SHA256

            29761e6db585a7a66b8d1842492baa7e006d35d17107853c3ca7501d1dd55d90

            SHA512

            b6b2b8939b46635340129e0de698b7f578a70b8666e862cce638ec7acb9b920cac7c9f845a1b2789a0a1c939f231a942067b72cc7c12bfd1a6d619879ecaf78d

          • C:\Windows\Logo1_.exe

            Filesize

            33KB

            MD5

            1f5204f508b53f2c6c29023102ece203

            SHA1

            02bce63bdf6c0c9e7730327bade2ba4800dd8598

            SHA256

            29761e6db585a7a66b8d1842492baa7e006d35d17107853c3ca7501d1dd55d90

            SHA512

            b6b2b8939b46635340129e0de698b7f578a70b8666e862cce638ec7acb9b920cac7c9f845a1b2789a0a1c939f231a942067b72cc7c12bfd1a6d619879ecaf78d

          • C:\Windows\rundl132.exe

            Filesize

            33KB

            MD5

            1f5204f508b53f2c6c29023102ece203

            SHA1

            02bce63bdf6c0c9e7730327bade2ba4800dd8598

            SHA256

            29761e6db585a7a66b8d1842492baa7e006d35d17107853c3ca7501d1dd55d90

            SHA512

            b6b2b8939b46635340129e0de698b7f578a70b8666e862cce638ec7acb9b920cac7c9f845a1b2789a0a1c939f231a942067b72cc7c12bfd1a6d619879ecaf78d

          • memory/1288-149-0x0000000000000000-mapping.dmp

          • memory/2884-144-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/2884-136-0x0000000000000000-mapping.dmp

          • memory/2884-150-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/3264-135-0x0000000000000000-mapping.dmp

          • memory/4280-145-0x0000000000000000-mapping.dmp

          • memory/4288-139-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/4288-134-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/4696-133-0x0000000000000000-mapping.dmp

          • memory/4824-141-0x0000000000000000-mapping.dmp

          • memory/4932-140-0x0000000000000000-mapping.dmp

          • memory/5012-132-0x0000000000000000-mapping.dmp

          • memory/5060-148-0x0000000000000000-mapping.dmp