Analysis

  • max time kernel
    155s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2023 09:37

General

  • Target

    3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe

  • Size

    3.3MB

  • MD5

    3e2e461969f003f51b4767f09264f034

  • SHA1

    92cfe0f580994774a78bb6f400855c18c3703be1

  • SHA256

    3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691

  • SHA512

    367902b71bd79f1545a8550dd2181d59c9bc4a03be9bfecf1ecf0efa70ef0cc316c72a4a2ede3308b1f7d495482b847517b579ce623efbabc93f111b6d190e4c

  • SSDEEP

    49152:V7OD1wyVu6kLS4U/DiaJ0de0r2AJisyYy20QkTu5dPkLoJjEW3:cwv6kw/eJNHy2z+LoJjEW3

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3156
      • C:\Users\Admin\AppData\Local\Temp\3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe
        "C:\Users\Admin\AppData\Local\Temp\3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3988
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a217D.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3060
          • C:\Users\Admin\AppData\Local\Temp\3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe
            "C:\Users\Admin\AppData\Local\Temp\3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe"
            4⤵
            • Executes dropped EXE
            PID:5080
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:5072
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3184
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:4788

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\7-Zip\7z.exe

        Filesize

        484KB

        MD5

        e707e19b04804d739137a82fbba2baa9

        SHA1

        22c58fe3de71434377659208218ca6fc5d568a08

        SHA256

        31e83dd1a799cde7731b20b8598a6308b03b5f78de8bd672d07765906346495f

        SHA512

        21919054dc8e9fd73a177ed86aa085ed95efce13ecf2f7d1d9149aae59f071e5a0e4d222e483814d4828ac5c5d3df1bdd9b1dc1161e6e819a00255e632f11459

      • C:\Users\Admin\AppData\Local\Temp\$$a217D.bat

        Filesize

        722B

        MD5

        be18153dedd99337fbf3cafb76019a0d

        SHA1

        8aff8c63a6aaccca1e0273cae9118fd528bf6fcc

        SHA256

        af30567173979869c4c938a60dca010cd990509979fe24554ada83d756719efc

        SHA512

        79d428e2d6971d2e91f38603c3900de250571f756843512fd56f282db6f7d14f429027ae35a74d487b0ec5540792a0f3f5fac1312debca5bcaefd1e3a413cef5

      • C:\Users\Admin\AppData\Local\Temp\3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe

        Filesize

        3.2MB

        MD5

        05eaae72e8de3c506880278ac5a2a9d7

        SHA1

        182dfc7897f0f17f2c6174c481ccc9d2c198a420

        SHA256

        69667b2690467f2c81a56edeb19cc73e620e95db8d50c34fb163c0f579689d7d

        SHA512

        dec670f4e5cb8029c21bfe87be022b602bda3b0738cc27478e20206ec4c245548b70c001b10d123b9045efc81de25ace430a77ff6e229075f98f19c2d96ffae8

      • C:\Users\Admin\AppData\Local\Temp\3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe.exe

        Filesize

        3.2MB

        MD5

        05eaae72e8de3c506880278ac5a2a9d7

        SHA1

        182dfc7897f0f17f2c6174c481ccc9d2c198a420

        SHA256

        69667b2690467f2c81a56edeb19cc73e620e95db8d50c34fb163c0f579689d7d

        SHA512

        dec670f4e5cb8029c21bfe87be022b602bda3b0738cc27478e20206ec4c245548b70c001b10d123b9045efc81de25ace430a77ff6e229075f98f19c2d96ffae8

      • C:\Windows\Logo1_.exe

        Filesize

        26KB

        MD5

        5ae65773d0e0a119933fc8f2c4717d5b

        SHA1

        464955e3c0a100e1da6bc216a9293a17881abeaf

        SHA256

        db1202812eafcc520148f302869a028b8509cb6cbc09eaddcfed1e82ee2785bb

        SHA512

        18a6639c611ebd3dbd1929acd1cd41174879e02302e7bb6cce81d05633345ce300dd9bb7d7b2f9eddfb58ad52da5c2c1d79a4f7983eb810f8327727f055ffae7

      • C:\Windows\Logo1_.exe

        Filesize

        26KB

        MD5

        5ae65773d0e0a119933fc8f2c4717d5b

        SHA1

        464955e3c0a100e1da6bc216a9293a17881abeaf

        SHA256

        db1202812eafcc520148f302869a028b8509cb6cbc09eaddcfed1e82ee2785bb

        SHA512

        18a6639c611ebd3dbd1929acd1cd41174879e02302e7bb6cce81d05633345ce300dd9bb7d7b2f9eddfb58ad52da5c2c1d79a4f7983eb810f8327727f055ffae7

      • C:\Windows\rundl132.exe

        Filesize

        26KB

        MD5

        5ae65773d0e0a119933fc8f2c4717d5b

        SHA1

        464955e3c0a100e1da6bc216a9293a17881abeaf

        SHA256

        db1202812eafcc520148f302869a028b8509cb6cbc09eaddcfed1e82ee2785bb

        SHA512

        18a6639c611ebd3dbd1929acd1cd41174879e02302e7bb6cce81d05633345ce300dd9bb7d7b2f9eddfb58ad52da5c2c1d79a4f7983eb810f8327727f055ffae7

      • F:\$RECYCLE.BIN\S-1-5-21-3125601242-331447593-1512828465-1000\_desktop.ini

        Filesize

        9B

        MD5

        6029ce528adbc1284163cdd2b27a082e

        SHA1

        a2f23e1d5101c3b6929686a2d5711c2af2dec1b7

        SHA256

        5036deecfbb090aa7f7c21c159b1921df0cf23eedafb7e0c208668ad82872dae

        SHA512

        a661e939e69a59f88fd86fa654371ba4b3e3e8faf5c1b39bdaa0def8b277b26b63e96d4f5eb047ca3d8888597165dc709f395eeaf333c25c9cf56441c31dd676

      • memory/3988-12-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/3988-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/5072-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/5072-27-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/5072-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/5072-38-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/5072-42-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/5072-8-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/5072-836-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/5072-923-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/5072-1086-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB