Analysis

  • max time kernel
    153s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-03-2024 02:58

General

  • Target

    a9bb2f6d8d93e8d59a51dd8b80eb1aded5775602bef2155d6df7f9349854f81d.exe

  • Size

    29KB

  • MD5

    3860023d0534f7b5e84b77da9a7eaca7

  • SHA1

    9072ddac934b457ea37c14d1080479cd81b3fc83

  • SHA256

    a9bb2f6d8d93e8d59a51dd8b80eb1aded5775602bef2155d6df7f9349854f81d

  • SHA512

    f3a34f0edafe327a3cb7b2f6288687aeb038f3f505c660819e34e1442b54ab83db9d16f4bd145982b427d13ee5b500d92a1108b74296f30067df2cc17e4a4599

  • SSDEEP

    384:NbbCI8WU7tx1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOnj:p2ssf16GVRu1yK9fMnJG2V9dHS8

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3348
      • C:\Users\Admin\AppData\Local\Temp\a9bb2f6d8d93e8d59a51dd8b80eb1aded5775602bef2155d6df7f9349854f81d.exe
        "C:\Users\Admin\AppData\Local\Temp\a9bb2f6d8d93e8d59a51dd8b80eb1aded5775602bef2155d6df7f9349854f81d.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3452
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1928
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4444
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:2136

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\dotnet\dotnet.exe

          Filesize

          168KB

          MD5

          4e9105279f3ae3a04f0df99913e41164

          SHA1

          ed4a3d39a412ed86297a47124273cf2f67df4285

          SHA256

          48447c896938077a019e9c26c0e8f0b9ed8a700fb7df5e08458353a814497b83

          SHA512

          ac4355f413a66e39f0ce154c5ce544970d802fb71f4c2004c214e9d89029a6c6a3e0a4b837efeb8ef44c1d54d8a5c3a5e442ecf19a2fbf141fa2b12acd46d6e9

        • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

          Filesize

          9B

          MD5

          cbff752523567179ac32a14f905e1944

          SHA1

          446aa136e2ec27c083df7dd49d0252f1c0243bde

          SHA256

          eb7756d2a0d4fe754f1fe3d1d30c92a3f7ac52252b13cd171fd7ce553d760371

          SHA512

          9131c53463d7ce35aa85fbd70b312fdbc04c7c649fae0f6a762758e8e39ee863bdf84a6d23d1879814f69a6d4c4fe38501235c2e557b68309d560f06c18e9eff

        • memory/3452-0-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3452-5-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3452-13-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3452-19-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3452-24-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3452-28-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3452-729-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3452-1002-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3452-1169-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB