Overview

overview

8

Static

static

c50026c180...35.exe

windows7-x64

8

c50026c180...35.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    189s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/12/2022, 03:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c50026c180ea0a370638a5b37fdab8be7413861c72bb21fe367194a550067435.exe

  • Size

    243KB

  • MD5

    1a511c400e849f7ae09961e103039ccc

  • SHA1

    80e2e994800a01b287f5d35fbef791e1e9e8cf86

  • SHA256

    c50026c180ea0a370638a5b37fdab8be7413861c72bb21fe367194a550067435

  • SHA512

    5a383e9f2216b738a1a6e7fa5b5e64e0832649a5481d75b7259e5ed3e1088103888419c7b424f0cf220fbff6166dee434594093a05808b12dc3699c60a739b2e

  • SSDEEP

    3072:PGaY46tGNttyJQ7KRjNDWI38xunbx8zPYLGT6gZfYKgZfYNpW+WROnp:u46tGdyJNDWjxQ8jYLG1ZwpZwNHWQ

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3020
      • C:\Users\Admin\AppData\Local\Temp\c50026c180ea0a370638a5b37fdab8be7413861c72bb21fe367194a550067435.exe
        "C:\Users\Admin\AppData\Local\Temp\c50026c180ea0a370638a5b37fdab8be7413861c72bb21fe367194a550067435.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3168
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1908
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a36B0.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2232
            • C:\Users\Admin\AppData\Local\Temp\c50026c180ea0a370638a5b37fdab8be7413861c72bb21fe367194a550067435.exe
              "C:\Users\Admin\AppData\Local\Temp\c50026c180ea0a370638a5b37fdab8be7413861c72bb21fe367194a550067435.exe"
              4⤵
              • Executes dropped EXE
              PID:5108
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3660
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4132
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1580
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4148
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3728

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\$$a36B0.bat
                  Filesize

                  722B

                  MD5

                  7f5e94e256e886d3b1443d3898499783

                  SHA1

                  2f7835a2810894fb29ad7a88da8cb2322dd21051

                  SHA256

                  7c2d2a4f5685f68f821cd66455d703c7b854918b59a8a016cfcbebefd6a30db1

                  SHA512

                  65188d4f5ba1e1b52e6c34d7c4bf609a559a6ed36d61bb9fe893bdf6d5888ec302d0dac82f3219b8fe32691c8c61f60d5e18ccfa0212864a747b4ca8a53a2632

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\c50026c180ea0a370638a5b37fdab8be7413861c72bb21fe367194a550067435.exe
                  Filesize

                  209KB

                  MD5

                  eb89f4ac13f95fa31c850907d53dba87

                  SHA1

                  b0a34af264273af4446867d776d9bc2717b908b0

                  SHA256

                  f6415905338d2020326891f32bac7bb77553f68be40de61ba06118cad073fd89

                  SHA512

                  e2c2a05d69de2859b12a3b8b9e4e98e6935a9c24a92ddae8de3a03aa586c6467a56b072885cd4afde90d2283da6aca0fb9c99654fe2fb4b9d36809f37b3d6606

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\c50026c180ea0a370638a5b37fdab8be7413861c72bb21fe367194a550067435.exe.exe
                  Filesize

                  209KB

                  MD5

                  eb89f4ac13f95fa31c850907d53dba87

                  SHA1

                  b0a34af264273af4446867d776d9bc2717b908b0

                  SHA256

                  f6415905338d2020326891f32bac7bb77553f68be40de61ba06118cad073fd89

                  SHA512

                  e2c2a05d69de2859b12a3b8b9e4e98e6935a9c24a92ddae8de3a03aa586c6467a56b072885cd4afde90d2283da6aca0fb9c99654fe2fb4b9d36809f37b3d6606

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  d20379a6043b7c9afdd5ac217cb33f43

                  SHA1

                  9755a607a609a5cd1ca57e3a180c5f2d04f5b6fb

                  SHA256

                  423355b44e6de81ab3edad99d36a1bfb0c45888f1d2e3a970cbd4a29c5d59046

                  SHA512

                  79a2c49794cd467841c1e97e4d4200f87f0fb2a202c29fa353631ec9630b0b26248c3a7737c8207c740b025a9cf6cc685e11a0c182d50c1b6d065c811580547e

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  d20379a6043b7c9afdd5ac217cb33f43

                  SHA1

                  9755a607a609a5cd1ca57e3a180c5f2d04f5b6fb

                  SHA256

                  423355b44e6de81ab3edad99d36a1bfb0c45888f1d2e3a970cbd4a29c5d59046

                  SHA512

                  79a2c49794cd467841c1e97e4d4200f87f0fb2a202c29fa353631ec9630b0b26248c3a7737c8207c740b025a9cf6cc685e11a0c182d50c1b6d065c811580547e

                  Download Submit

                • C:\Windows\rundl132.exe
                  Filesize

                  33KB

                  MD5

                  d20379a6043b7c9afdd5ac217cb33f43

                  SHA1

                  9755a607a609a5cd1ca57e3a180c5f2d04f5b6fb

                  SHA256

                  423355b44e6de81ab3edad99d36a1bfb0c45888f1d2e3a970cbd4a29c5d59046

                  SHA512

                  79a2c49794cd467841c1e97e4d4200f87f0fb2a202c29fa353631ec9630b0b26248c3a7737c8207c740b025a9cf6cc685e11a0c182d50c1b6d065c811580547e

                  Download Submit

                • memory/1932-134-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/1932-138-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3660-141-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3660-150-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download