Overview

overview

7

Static

static

3

eb17ac1bdd...3f.exe

windows7-x64

7

eb17ac1bdd...3f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-03-2024 04:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb17ac1bdd93b362673b8c17333f788d4cc0be5fcdb4d101395e19bf8bca713f.exe

  • Size

    484KB

  • MD5

    9a8d8f6d14fab05a4a4c26a94d006bfe

  • SHA1

    a79d85dd3eeaa3dceaba4f0a849bc0511c2b8764

  • SHA256

    eb17ac1bdd93b362673b8c17333f788d4cc0be5fcdb4d101395e19bf8bca713f

  • SHA512

    30b55e509bceea88b4c78024afa7dc8310425623d22a4fd237a4e940a2ae6b2bce7383a70039ccaee1e36967578b3f6311bbc16e1981ee10aa91861184ef4ef4

  • SSDEEP

    6144:0lVfjmNzz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fa2:0D7+n1gL5pRTcAkS/3hzN8qE43fm78V

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3540
      • C:\Users\Admin\AppData\Local\Temp\eb17ac1bdd93b362673b8c17333f788d4cc0be5fcdb4d101395e19bf8bca713f.exe
        "C:\Users\Admin\AppData\Local\Temp\eb17ac1bdd93b362673b8c17333f788d4cc0be5fcdb4d101395e19bf8bca713f.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3304
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a73E8.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3828
          • C:\Users\Admin\AppData\Local\Temp\eb17ac1bdd93b362673b8c17333f788d4cc0be5fcdb4d101395e19bf8bca713f.exe
            "C:\Users\Admin\AppData\Local\Temp\eb17ac1bdd93b362673b8c17333f788d4cc0be5fcdb4d101395e19bf8bca713f.exe"
            4⤵
            • Executes dropped EXE
            PID:4604
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4388
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2924
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2480

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        c9b4b3dcc6c15deb8ab975a3da45a345

        SHA1

        122237d381601d493621a3c6ddaf6d6d3339f1db

        SHA256

        fbdb341ca17d21d5193fb451c843205b4b7bb703b51c58c196935efff6a3cf70

        SHA512

        3c3a5f6e4b5ffcd5ec6f68f15ee7ce06b629b252f901f9c1d08ff090765dd2918d5cfc8cdbfcdc991e10538189a6db7c55badeaac40a0cacef6c7ad67026fa36

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        570KB

        MD5

        ce1d032ca2a8fa4eb048120975bf72d2

        SHA1

        587fcf144410b2260877e20f13209c420a0be524

        SHA256

        f4bdaa7c68267c4001dd15fecbbc21a537b3cb3cdbac8ae942ba84b9d7b03a88

        SHA512

        f37e8e951035e8524170fa45bc01f249fea5ee5e052dea73b89d81e85f7eb498ce8d627b19c011b0993256b7fcc0f55311f1efb657aca508dbc0055381214113

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a73E8.bat
        Filesize

        722B

        MD5

        3715c8ef4c62ffd3aab5c66e1942386d

        SHA1

        ff84aa44ed6752062d85f2da007c5602ddd97049

        SHA256

        cbe8c8c61e165e92aad9c6216452348dab33cf5c6cc729a81012058136cabbbb

        SHA512

        584a16b11d596ed10f26115d88d1a70e0bb0d42197b29d498005cd6340152f5dac7f951e9f6dce9680d10828729ef96dff225fd0ce35192d21ec51cf654fe6df

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\eb17ac1bdd93b362673b8c17333f788d4cc0be5fcdb4d101395e19bf8bca713f.exe.exe
        Filesize

        458KB

        MD5

        619f7135621b50fd1900ff24aade1524

        SHA1

        6c7ea8bbd435163ae3945cbef30ef6b9872a4591

        SHA256

        344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

        SHA512

        2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        e98a8347c79884c56f2c4d168f2766cf

        SHA1

        6fb56c879df91c8d71b133ed88ef01318f681d28

        SHA256

        bdcd787732138aceb05f7fe381d1b883101859fb8cb4cc3ab749e640be3e0947

        SHA512

        1aa7e9965caee0b7685bc5fa725443b3067818b0076cd2b4c5cf7d254834f7468e4385d9743a62d0011b67a004333b4e28911f7e7083d7fdbf7736e447f1585f

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\_desktop.ini
        Filesize

        8B

        MD5

        eb3fe7085aac4986a5db69d6c382011f

        SHA1

        19c0d93bf576dc3bcf232628428d6218f91767a0

        SHA256

        41f6ad8112406e684ecf32a535c20fbac2db8d577e00b14197146b599a4b6ab2

        SHA512

        26ed6484407c76b27987c2ed0e5ec2522ea6053de299c486841195690c536d72d0569fb291a9b9a91ce74fa22f4c37c43b491f4d0ff00afb8771bd36a7dcf508

        Download Submit

      • memory/3304-9-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3304-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4388-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4388-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4388-37-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4388-42-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4388-26-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4388-433-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4388-1175-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4388-2250-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4388-10-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4388-4743-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download