Overview

overview

7

Static

static

3

6f4ae57cd6...fc.exe

windows7-x64

7

6f4ae57cd6...fc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    159s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2023 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f4ae57cd68ba3152b5ace98d3aa5ef24b2e8b5291a91734bec6d07b8a7343fc.exe

  • Size

    46KB

  • MD5

    7a61f04cc09eea2a5c71f330e1793c51

  • SHA1

    b17cfe013d24dfd22f2c66eb862dfd602678daba

  • SHA256

    6f4ae57cd68ba3152b5ace98d3aa5ef24b2e8b5291a91734bec6d07b8a7343fc

  • SHA512

    52bcd86d19cfb0e8950148c39f38a077b439e93f71f281ae71e23e36c90582c1ebe049d3602189fee022817b959fca3c7ccf5070a9621bd1068ec598ff08dc1f

  • SSDEEP

    768:Lo1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLzXqv82FVvh:efgLdQAQfcfymNv6v1h

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3480
      • C:\Users\Admin\AppData\Local\Temp\6f4ae57cd68ba3152b5ace98d3aa5ef24b2e8b5291a91734bec6d07b8a7343fc.exe
        "C:\Users\Admin\AppData\Local\Temp\6f4ae57cd68ba3152b5ace98d3aa5ef24b2e8b5291a91734bec6d07b8a7343fc.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3A06.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1096
          • C:\Users\Admin\AppData\Local\Temp\6f4ae57cd68ba3152b5ace98d3aa5ef24b2e8b5291a91734bec6d07b8a7343fc.exe
            "C:\Users\Admin\AppData\Local\Temp\6f4ae57cd68ba3152b5ace98d3aa5ef24b2e8b5291a91734bec6d07b8a7343fc.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2420
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4956
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1440
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:3280

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        570KB

        MD5

        e28318d6b1324fe9925b5892d4204fdd

        SHA1

        554e8699aa60770608066690834febfab56cffb3

        SHA256

        ad3b2c95dc3c3202c8699f84f420e364b4417fbe9630294ca2c3bda6a0805bbb

        SHA512

        3e475cba03138c5b3212722e05c9fed0acb7aef86294ccbfba832c81b09e760dc3100c5cb8e10a5ee9499d6c6f1e6f1e2d1f48f0bea91e6435ab0fa8e8ce4eb9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a3A06.bat
        Filesize

        722B

        MD5

        d0f4a66e827aaed99a03c062ce1cd8b6

        SHA1

        b94f79373e59be4107d34b76d8b63bf544f1fcab

        SHA256

        519eb1c9fd4eecb9bad76f2c74210d53d024b57673e8dd2e806339bf0d2c7308

        SHA512

        fdfbd8aa2aff7fcb917c386b51ec6ee4ece0b37c8b6d04bfce60078513b071c03d9ede50522ce9d4fa45fbe6ae49e33e1895b7148df71106d7b81b7ade5b3dab

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\6f4ae57cd68ba3152b5ace98d3aa5ef24b2e8b5291a91734bec6d07b8a7343fc.exe.exe
        Filesize

        20KB

        MD5

        46eff666c94e3f7cf93ce87feb23af51

        SHA1

        fdb4d2878166c547b4fb61996f673ae345c2415c

        SHA256

        5115438f3279d97dfef6f319688c0b154ed0e62a55dd8e8dc6cc370a4e1aa742

        SHA512

        6f7db660cde8a89c11f7202f720d9805d1cddeb34013bf96cc400378a31e8c0af45ed681a45ed7a1c261c9c6d93504167519f2e91cc90f6afbde636cb881486b

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        6ad5408b0f8b4954bdd0d35a7ad33ad5

        SHA1

        eb194247ed35c5ada3bc2843b2253517aff53468

        SHA256

        ad6fddec2546fd9ea19542320a4a271512df03edc6e635ba70bc820a7529c3a6

        SHA512

        2464d75e5ac13379c2ca15f70b9b2fcde85d5f616f31955970c07a3c03b3e8be6f0d25364d9eb934e150d417e669b9c26c789df56da304c1528d8f49bf366b23

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3073191680-435865314-2862784915-1000\_desktop.ini
        Filesize

        10B

        MD5

        fe9b9583606636183df7abeebc086acc

        SHA1

        f7ff4f3c6b67dd97e9af553c62cc8d876739237c

        SHA256

        46502680c9b2f0e257b18463d84c1229974e57a13756d6f4a2fe25f41e2d05bc

        SHA512

        12a615fc2aa2493aa0c2a620683c5edbc3f3c9d95cbc9fde4da1eb6e3261a9557df78f521347a656f7ff338f7bff41a5d02f5ed6de5c3243adc16a00acf324a5

        Download Submit

      • memory/2780-13-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2780-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4956-26-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4956-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4956-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4956-36-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4956-38-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4956-42-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4956-47-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4956-10-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4956-147-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4956-315-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4956-442-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4956-1006-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download