Overview

overview

7

Static

static

3

5ba6eb5d73...42.exe

windows7-x64

7

5ba6eb5d73...42.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    158s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/12/2023, 22:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5ba6eb5d73e8928771f77e4a0453efddda3cc088f01cb5b1b65a5480edb41742.exe

  • Size

    240KB

  • MD5

    bd982c42ce5b35176c0152da0489ff92

  • SHA1

    7c09dbc7f889b63296e84c54f447df8c866df726

  • SHA256

    5ba6eb5d73e8928771f77e4a0453efddda3cc088f01cb5b1b65a5480edb41742

  • SHA512

    b68684002df3b01c262dd763cd9308ff4670d2f1f8d27c400a01386d446f90d2593616b82aac5bda09a47001a9a3fe598ab83b8389039e9a0996dafe12e6d278

  • SSDEEP

    6144:RVfjmN6Zu82sMVU6ChCWzBx5O9tqVROmD:H7+6osMVcDj

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3372
      • C:\Users\Admin\AppData\Local\Temp\5ba6eb5d73e8928771f77e4a0453efddda3cc088f01cb5b1b65a5480edb41742.exe
        "C:\Users\Admin\AppData\Local\Temp\5ba6eb5d73e8928771f77e4a0453efddda3cc088f01cb5b1b65a5480edb41742.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:408
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA9EC.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3600
          • C:\Users\Admin\AppData\Local\Temp\5ba6eb5d73e8928771f77e4a0453efddda3cc088f01cb5b1b65a5480edb41742.exe
            "C:\Users\Admin\AppData\Local\Temp\5ba6eb5d73e8928771f77e4a0453efddda3cc088f01cb5b1b65a5480edb41742.exe"
            4⤵
            • Executes dropped EXE
            PID:1164
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3756
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3608
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:4208

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
              Filesize

              251KB

              MD5

              d4eb69952bdefdeeeb62b61d98b450fc

              SHA1

              906cd329656f45c57c81f2de1614fd9ce7ace777

              SHA256

              a8567b36add750b3d72e00b0123121a0352ee830af2e54563b56d13633a9551c

              SHA512

              68dd1d8ef0b47e0c5bcd78b80b3e4606d1e3479d331c417e2ef7d7cf2d8d2c528bf758edaec306610966ab7a201d007e7a304a8812a1bb3a930a953a35a295a5

              Download Submit

            • C:\Program Files\7-Zip\7z.exe
              Filesize

              570KB

              MD5

              15a01d41cfa2be8f6361821e37b09cf8

              SHA1

              b104aa402a5ada78c88da49aed88439660fade1e

              SHA256

              d753050137a73056a24d5eb54b8d9374dccdf4f817196927ed050985d433409f

              SHA512

              8cde516de864b780daa7a0a697d9a315020c59eea6bec1e0e9235d2ac4c1c7d2c700792dd72dc89b53432ba1ca8b9c2716c5376f22430ed4c4e598bb09f31741

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$aA9EC.bat
              Filesize

              722B

              MD5

              7aca281a45244519404bc6905bbdce02

              SHA1

              5e22d0a1ab1b1a732317b2a5b7adcc7eb9bcf8cf

              SHA256

              8eb089471eb7d5e54eeb365ce2ddacf5f3e7b4d5355ac386c59c10d90a9dce7c

              SHA512

              4bfc1b52c5229e3ebf307b26d65fdf15b7a6072fea65d8ca6a39f64d88822d7f486776931f32436bc5763f9a6e0d1dd57b109d009519ed8469f556fce487b731

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\5ba6eb5d73e8928771f77e4a0453efddda3cc088f01cb5b1b65a5480edb41742.exe.exe
              Filesize

              214KB

              MD5

              f34895c892772b1b653221a7cd0f8edc

              SHA1

              2ee60227fdce7127a8473c3d9f4a4d0b8b405749

              SHA256

              eab8273e7137f29f17702530aa5654dbf151054febd083c48d0dba70c1621de6

              SHA512

              9fa8e9ae928ae1c4162542259a6e395bf77227cdd0c0f6a38f46eae3e6562c1a8300fbe22411923a206dc096dc90c0a4d7411d9101991c13cf281783560c3956

              Download Submit

            • C:\Windows\rundl132.exe
              Filesize

              26KB

              MD5

              e67637261e90adbe15b65425844fb7cc

              SHA1

              5f89461c62efae1aad2b44e4358a56b23e0e5c26

              SHA256

              e0666433cf25a66f296d7471ce0b76e1caba434a9cc489a774b907d302ac17a6

              SHA512

              05c75baf794d0053692cdb57601bb7c9dc1c604c4d25d3b9f965f1c0e62b5dd4cda805f8b55075e21da1e41a225edf0c1a58ac527afd55c0558f4a6d64bdafac

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-983843758-932321429-1636175382-1000\_desktop.ini
              Filesize

              10B

              MD5

              7ffaa74dcf5b57082a43c17464e10782

              SHA1

              c6cf002ebb82e54cb14553d044f6c61463b369a6

              SHA256

              b3bfda52765f0ec02320ef68e5fca5e0d4bb61e1ec6f062430a5711a41c1be65

              SHA512

              35ef0f681e44781b5dc20e179918be9dad7be2029093f9537cfe30bff888bc875ad32e6bbb59294dc36779829bab7aa6ebfac9e93c6a1ef5e4e7ddde85bb6de8

              Download Submit

            • memory/408-10-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/408-0-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3756-33-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3756-26-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3756-37-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3756-42-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3756-8-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3756-404-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3756-1165-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3756-2328-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3756-19-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download