Overview

overview

6

Static

static

3

e3c3821d97...2f.exe

windows7-x64

6

e3c3821d97...2f.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2023, 02:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e3c3821d97d831fe32ef85bf7e78b397eba5cd839568aeae330e28e702eb662f.exe

  • Size

    26KB

  • MD5

    2da5a57d1ba2ed4b46bc3c9817948557

  • SHA1

    8b28792220f874e0abd68de5d946c3ae111f6abb

  • SHA256

    e3c3821d97d831fe32ef85bf7e78b397eba5cd839568aeae330e28e702eb662f

  • SHA512

    29940a2b80714d8f816a0d6b4f5d93cfb4aeae5e0303f6f06d5091a3e0dc405ae1a1def41ea5e2e709ed6c20d4f4fd8f1d9527ca6eb4eb6d6cf1bc5fce4a7e91

  • SSDEEP

    768:6M71ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:6MxfgLdQAQfcfymN

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3164
      • C:\Users\Admin\AppData\Local\Temp\e3c3821d97d831fe32ef85bf7e78b397eba5cd839568aeae330e28e702eb662f.exe
        "C:\Users\Admin\AppData\Local\Temp\e3c3821d97d831fe32ef85bf7e78b397eba5cd839568aeae330e28e702eb662f.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3196
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3372
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3012

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
              Filesize

              251KB

              MD5

              5725841defcb7e0548144bdc53e0b867

              SHA1

              dd8c3c919b9ee5d068c5c42ba049cc2898add5c5

              SHA256

              7a1876d6402a6e910fe1ace26d0fc6a0ae27599d0258f9352f6b81bc2b4b72a3

              SHA512

              de6785d1de40c6b86ec99918bd3b0e884a81377ad1d353799cd34a3399cde727ccbcd48af0880cd5f48ee9ef1bb98fa8f870a83c38f8b9aea77cbea2ade0331c

              Download Submit

            • C:\Program Files\Google\Chrome\Application\chrome.exe
              Filesize

              2.8MB

              MD5

              55c71fe84126acd2ab7f97a5131b8d5f

              SHA1

              f04aeabd30e21b3198686738b3acdde68858d6af

              SHA256

              fab1b12ddcf4edca36bb95d03e30e3aa0de8b2ea9435e5cc56ca9f65f107feb7

              SHA512

              06670a280364ecf36ed6678315f1f231770c0f39f44bf56f87a21bf762608a2e14598280732c92e92cf845bfa272ea39a86dbcd382c49fe3adf17bb1beaca9d5

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-618519468-4027732583-1827558364-1000\_desktop.ini
              Filesize

              9B

              MD5

              2326d479b287193a70f520700dc8d23e

              SHA1

              afea66d3788a50debd6f5d4c9dd51f68a4477e64

              SHA256

              95d41561a1467d20977f59108e85da181e0b4dfd3db9e40182ae7378c4a927f8

              SHA512

              cb971c406ddf7147536a6a1569d4ff49d7219aa52cde5d110be1109874d66daace832d423d7969af9e6bbc9738a65734c7e68e994591b7677aad51fa0f52cf37

              Download Submit

            • memory/3196-27-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3196-19-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3196-23-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3196-0-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3196-13-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3196-72-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3196-1264-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3196-3189-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3196-5-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3196-4796-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download