Overview

overview

6

Static

static

3

5c2e6d115d...33.exe

windows7-x64

6

5c2e6d115d...33.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-04-2024 18:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c2e6d115dbb8facedfa081f09c7a7a82cf3f93da2da5e115c55ca477b915f33.exe

  • Size

    26KB

  • MD5

    9f75203f9b5121bc1e634cdc6fd0e66d

  • SHA1

    00f20824f7cae679f546ae5dde86563ca68ac6a7

  • SHA256

    5c2e6d115dbb8facedfa081f09c7a7a82cf3f93da2da5e115c55ca477b915f33

  • SHA512

    7dd1afee07503befbf6f7da768226ff65ae3ad1e6267bcf7d5917be29c2f64be4932e6e40b5c8bea7c519a5d8c50658f6e0df998f0fd922c6dd3bc9b4481a46c

  • SSDEEP

    768:qPy1ODKAaDMG8H92RwZNQSw+JnbmQj3FZJ9Vs9XnsD:ffgLdQAQfwt7FZJ92Bs

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3544
      • C:\Users\Admin\AppData\Local\Temp\5c2e6d115dbb8facedfa081f09c7a7a82cf3f93da2da5e115c55ca477b915f33.exe
        "C:\Users\Admin\AppData\Local\Temp\5c2e6d115dbb8facedfa081f09c7a7a82cf3f93da2da5e115c55ca477b915f33.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4252
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3316
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1112

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        5f1c30ed47c280f0b9412c90191e969c

        SHA1

        5763ae883d38e04bf2bd539c383c0884f32e703a

        SHA256

        25bf4f212b602d8cfd52e1e592b5ba80eea0c328d837b52b253474797a451aa0

        SHA512

        46829e258964d3c01638787cba96f70a3140303d55b65f782cde74f07b0f24c3115c124b43a09f80d42aa22407906ff20c7e0cf0042e7dc27d8e0ab06f2e657e

        Download Submit

      • C:\Program Files\dotnet\dotnet.exe
        Filesize

        165KB

        MD5

        7600a50811251ed451401bc93f1d1d00

        SHA1

        6ee8b9cad7f895ec10858264ad889451c751524e

        SHA256

        f90925c39161c1d4d9e7081e37123e0a6cf758032250a901715b109f4fe38c73

        SHA512

        04e680e824e7c066e8cba1809b9ef3448c8fac581d8055898b56de718fa07d84f167ed820f9cedc0346f76a0bf4462f136f27712177e768176eb89c4110d8beb

        Download Submit

      • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
        Filesize

        481KB

        MD5

        d9a20f38778ddec5c48e2acde4956248

        SHA1

        fe41d404f38c2d570cd55158524d450f5ed50da3

        SHA256

        f39c91803fd8d891849aa7b16cd6f82fa4a3b0eaf12d6699127206f48dbf9c63

        SHA512

        c879087690924c702a818643329c7c8c2fae5fae3d9a2c6b1c5eb608f3c899ba4bd4708cde9565e957b669c09fa8ab11ad289128bc5871dd85fe4fa90c31e4b4

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\_desktop.ini
        Filesize

        8B

        MD5

        eb2b82f341fdb4eae25ceb49373ed303

        SHA1

        cf7db5d16d0cdb9abd32cb4fe1e343e2296142b0

        SHA256

        8a35cc496890b7089f69f59dd7dd7fed74622e8ff18cf9f99d49c94aa5888c5a

        SHA512

        895d5f91dcdf77750063ec0b0112b643597bfcc87ddaa30f07864adeadf185ce062ead7699d964bd05135dcf034ca4028165ec95ab2e17b549c5faf2236f8982

        Download Submit

      • memory/4252-27-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4252-23-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4252-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4252-18-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4252-994-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4252-1161-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4252-1863-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4252-12-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4252-4726-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4252-5-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download