Overview

overview

7

Static

static

3

864d659426...56.exe

windows7-x64

7

864d659426...56.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/09/2023, 14:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    864d6594260cfbb6f30532d3110c5b5a875353a5ca2103756e8e119c0df99a56.exe

  • Size

    339KB

  • MD5

    56fe2de68eba35ced1dfdab2527fc7b7

  • SHA1

    c66401134472e1923e8365d0a10947379ed5a8cc

  • SHA256

    864d6594260cfbb6f30532d3110c5b5a875353a5ca2103756e8e119c0df99a56

  • SHA512

    7d4c339149ce503534ac26fc9ffe412a04d281451944d8cba20a0e315dd9aca13bba40c0f9155c87c8753c58609fcb1bbc7fa8a8789148b12ea483dd6ebda106

  • SSDEEP

    6144:+VfgPoKonbQAGBCTmpUi65QHtppS07Ga9u:AY2bQLBCTmpI5eN7j9u

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks for any installed AV software in registry 1 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3172
      • C:\Users\Admin\AppData\Local\Temp\864d6594260cfbb6f30532d3110c5b5a875353a5ca2103756e8e119c0df99a56.exe
        "C:\Users\Admin\AppData\Local\Temp\864d6594260cfbb6f30532d3110c5b5a875353a5ca2103756e8e119c0df99a56.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3824
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a805B.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1444
          • C:\Users\Admin\AppData\Local\Temp\864d6594260cfbb6f30532d3110c5b5a875353a5ca2103756e8e119c0df99a56.exe
            "C:\Users\Admin\AppData\Local\Temp\864d6594260cfbb6f30532d3110c5b5a875353a5ca2103756e8e119c0df99a56.exe"
            4⤵
            • Executes dropped EXE
            • Checks for any installed AV software in registry
            • Checks processor information in registry
            • Enumerates system info in registry
            PID:208
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3044
    • C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4460
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        2⤵
          PID:2900

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
              Filesize

              251KB

              MD5

              151ac58e58220189661561d0f338512f

              SHA1

              b97e07e686df8553a868b31f122597dc1edc3db2

              SHA256

              1687162e29a6e59c6e6257f7f4f740138c72d60311ee2d9d6b93227c3ebcfc2d

              SHA512

              3c3adf45630a7ed4d6e6feea14af3251e8038f95a8943c916164e5419e9f4c882d05d513816bcd5eaaed916e8665d937b30866d00f540c6b31d27ba655975f15

              Download Submit

            • C:\Program Files\7-Zip\7z.exe
              Filesize

              484KB

              MD5

              504565624b604cdafa1b466a1e4501a3

              SHA1

              48a676a7d99dd2a7b490c8353296fdcfde840bfd

              SHA256

              19bd65d835c240d94719fc57a6afbf07302cc1e08ca5e6dbbd591479a2e5520e

              SHA512

              049ad4f565bc4e4d193f467e9ffe5695a8ca1f341a8ce9e78d2b34818aa09a7de3c3cd66c2cc316cff028657b4af34a562775b3a5e076473f14c26ada386de7f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$a805B.bat
              Filesize

              722B

              MD5

              b972c9d18d79a1f1d07b557bb7d4346b

              SHA1

              f70b800f21edd6e570d9789073d64a8f957cff02

              SHA256

              2365ffad07bef4e98c74411507f8fa17472af2da49c3a0bd6c64bbbbdc253e43

              SHA512

              bfe35c182f88c40d41259c4d34325ac56ea4ffefcde53c290658b5c66b1b2976645d816cc19924b9c2948e371c62ad07142d58e434f9a73ecd4befe19e51c649

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\864d6594260cfbb6f30532d3110c5b5a875353a5ca2103756e8e119c0df99a56.exe
              Filesize

              313KB

              MD5

              7a8a90ffb24d64c19f5b6be5b36ead97

              SHA1

              4e66f0e0d0a54bae622590513fdcb76d9f4d4f52

              SHA256

              39d6f7e0f2af78c84a2101126626246c20907defd388677edcfe32a64a156fa1

              SHA512

              67fa32b0044e5580745eb954a4c8274bbfc974e736999a98509dcdcdb1b88ad4065b913f1afac712c761c27f50db03da289a53f4e39e616065868a68a3c9a878

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\864d6594260cfbb6f30532d3110c5b5a875353a5ca2103756e8e119c0df99a56.exe.exe
              Filesize

              313KB

              MD5

              7a8a90ffb24d64c19f5b6be5b36ead97

              SHA1

              4e66f0e0d0a54bae622590513fdcb76d9f4d4f52

              SHA256

              39d6f7e0f2af78c84a2101126626246c20907defd388677edcfe32a64a156fa1

              SHA512

              67fa32b0044e5580745eb954a4c8274bbfc974e736999a98509dcdcdb1b88ad4065b913f1afac712c761c27f50db03da289a53f4e39e616065868a68a3c9a878

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              26KB

              MD5

              35c1e291828406ee71963b478b089bb7

              SHA1

              ab391a57c744a091e455855231fcc40d338d03d4

              SHA256

              d39888b881326a7a5e91377f986c088b755c07456d86b1714fba8705f7b60c1a

              SHA512

              e0a7301ed8ed6ce15112e5fd9ea322780a2ffbf7546013d9d3d5888fb53c7ff8512515df944aae76bdfbddfc5bef75336330d23ff290e21257e0d7640c44bffc

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              26KB

              MD5

              35c1e291828406ee71963b478b089bb7

              SHA1

              ab391a57c744a091e455855231fcc40d338d03d4

              SHA256

              d39888b881326a7a5e91377f986c088b755c07456d86b1714fba8705f7b60c1a

              SHA512

              e0a7301ed8ed6ce15112e5fd9ea322780a2ffbf7546013d9d3d5888fb53c7ff8512515df944aae76bdfbddfc5bef75336330d23ff290e21257e0d7640c44bffc

              Download Submit

            • C:\Windows\rundl132.exe
              Filesize

              26KB

              MD5

              35c1e291828406ee71963b478b089bb7

              SHA1

              ab391a57c744a091e455855231fcc40d338d03d4

              SHA256

              d39888b881326a7a5e91377f986c088b755c07456d86b1714fba8705f7b60c1a

              SHA512

              e0a7301ed8ed6ce15112e5fd9ea322780a2ffbf7546013d9d3d5888fb53c7ff8512515df944aae76bdfbddfc5bef75336330d23ff290e21257e0d7640c44bffc

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-2415528079-3794552930-4264847036-1000\_desktop.ini
              Filesize

              8B

              MD5

              621383aab05ec88688f5cce893e26550

              SHA1

              03967cdd69bd47cd2ccede557778546ef7c015eb

              SHA256

              0992c9b2d0872dece2ee570393745ccb6fbeadc2ded371a1f5406447aa872360

              SHA512

              085e0e3da3ad9ebb7b05ad58803f979ad4873337f91e4e0f209756ecf02b5050e33c3ad4a38212308e8beaf1f81625003f28bdc52d41cb2853e8f5a7eeb7a18b

              Download Submit

            • memory/3044-41-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3044-19-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3044-26-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3044-32-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3044-37-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3044-416-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3044-1282-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3044-9-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3044-4657-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3044-4824-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3824-0-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3824-12-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download