Overview

overview

7

Static

static

3

e20e6202b4...62.exe

windows7-x64

7

e20e6202b4...62.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/04/2024, 16:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e20e6202b418dabee4c500439e6eee3fed4c36e488a8503e078470b99a6dbf62.exe

  • Size

    7.3MB

  • MD5

    c6de2b67abfd0528f7bd9cf0e4bc07b4

  • SHA1

    b866773fd2d197dd4c9eb112d13540563ecb4199

  • SHA256

    e20e6202b418dabee4c500439e6eee3fed4c36e488a8503e078470b99a6dbf62

  • SHA512

    1a0a788e489a98dce68fe364eb579be647d7c63133a480ed8044d7f781464bea43c5fb3d47e16df10fc35641cfa85c3b5ad45a5fc6e456550c7b058af9c0be34

  • SSDEEP

    98304:jmB9OWBVClfcaA1oZeSajfztbVCGQX4bME4bP8nQgMVQNKe5AJbI8D:jg9OHi1oZepfxUGGNQNKe

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3436
      • C:\Users\Admin\AppData\Local\Temp\e20e6202b418dabee4c500439e6eee3fed4c36e488a8503e078470b99a6dbf62.exe
        "C:\Users\Admin\AppData\Local\Temp\e20e6202b418dabee4c500439e6eee3fed4c36e488a8503e078470b99a6dbf62.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4272
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6E79.bat
          3⤵
            PID:3096
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4988
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3912
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2036

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          252KB

          MD5

          5d32193de2cfdf187b43e5aff62a4fd2

          SHA1

          69c3b62ab39c979b2ebaff09c8f299ac3966690f

          SHA256

          b777124eef2f354f48d4e31f57404982b2dcfaa8a08f18cc81dccb11459a367f

          SHA512

          793dff9014d718b26300d6210fe9335131dd56ec0f6c48374ec1777b98fc5fa48cf285f6e066a02813fa77adab8269692e9ec4b14dc11bc04bf4782534ad9ae8

          Download Submit

        • C:\Program Files\7-Zip\7z.exe
          Filesize

          571KB

          MD5

          a1e57af09339824060d8a7932a8835df

          SHA1

          9f996516ac086808685c7881f792a6999f08f17f

          SHA256

          140672e1f00a179bc8c347b30c377661feb60494fd12de24fb73251f08249834

          SHA512

          09a9d04e62fc469fe071ac39d9484096df230528924307cd92b804056087e2f206ff3d676119a01badb51beb869777cadc9772964cd3fca20a70066d185331d6

          Download Submit

        • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
          Filesize

          637KB

          MD5

          9cba1e86016b20490fff38fb45ff4963

          SHA1

          378720d36869d50d06e9ffeef87488fbc2a8c8f7

          SHA256

          a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19

          SHA512

          2f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$$a6E79.bat
          Filesize

          722B

          MD5

          ee0b9113d04495d96c07609c956e5b8b

          SHA1

          0fd8df0c13c60e873212d0b5712b6efe5bb5309c

          SHA256

          3aa5812d67f32214b830d68eb04e935378c783b9ffc26fd30bca9310ec0d5ee5

          SHA512

          9ac1de31cc5bbb5887a75ba5fd0f7657f12abfcde1d077af559f3fbc3dbf860e78c5beff32952309a556ef5b1e3cd5025500ecac488a781aa996218b159d113f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\e20e6202b418dabee4c500439e6eee3fed4c36e488a8503e078470b99a6dbf62.exe.exe
          Filesize

          7.3MB

          MD5

          172b6d29b3cdcdf2b0b14332eb216161

          SHA1

          7534c39aecd8a968c8cdf34db4cb388d999a3065

          SHA256

          3bb1c042bf917e6577be28edce3243628e9ce4245e9abbc2cc0196ccca26630c

          SHA512

          71e4e14c689974821c0bb80637a53cd5234df0111b809612ac810846fe2ba9d288da20141455b984dd842c8343166f807f8da51e74b66fbe3aec181db72806ce

          Download Submit

        • C:\Windows\Logo1_.exe
          Filesize

          27KB

          MD5

          45fabbad5797257dc9a43b6cc8d2432d

          SHA1

          67df885f45d55667a66a6ec54b07bb1d84eab7de

          SHA256

          26ac0021f99062a8bfe7fb75f9af3bb948576eca9585dd54701f27fad6706b6c

          SHA512

          296c7145356bf381683b2095ab5b897003edae7e5db0e14c737e356340905fcde29a9f1fc94b9737d5efd95fbe132d4661b5316405445e6cde136c9a59a0d25c

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-776854024-226333264-2052258302-1000\_desktop.ini
          Filesize

          9B

          MD5

          02ced53ce3f5b175c3bbec378047e7a7

          SHA1

          dafdf07efa697ec99b3d7b9f7512439a52ea618d

          SHA256

          485bb2341321a2837fd015a36963ea549c7c6f40985e165fd56c8a1e89b3f331

          SHA512

          669dde3ea8628704d40681a7f8974cf52985385c92a61a540c97c18c13eb4d451207ae171b2a56cd061cadbc90e672a84eb55111b1f5016846918d73fb075c99

          Download Submit

        • memory/4272-12-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4272-0-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4988-25-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4988-35-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4988-31-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4988-1226-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4988-18-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4988-4641-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4988-4792-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4988-9-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4988-5230-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download