Overview

overview

7

Static

static

3

2ec1e50eb7...e0.exe

windows7-x64

7

2ec1e50eb7...e0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    92s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 00:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ec1e50eb7a857c277121df60ce270297942379f5902d6d6ff724c75b2c7d7e0.exe

  • Size

    44KB

  • MD5

    770677aa8fe757f7d83881d9649229ce

  • SHA1

    dc6595c29f2edabbaea280fc9461a00e7c629c3e

  • SHA256

    2ec1e50eb7a857c277121df60ce270297942379f5902d6d6ff724c75b2c7d7e0

  • SHA512

    b03cf232330d3a6b674fc8ad3438ff45e75822cd860d2e89ea86cbc91500df1cc3a736df22e520510aff3ab489b8778b2e387d975b2808a439e6332cf1f389f9

  • SSDEEP

    768:E7wT2ljlL5b+n8WF6z6zq8bW+g5L6wLvo4nF0fUFKPv2QrFheR6zEuR:E7bj95b+n8wZq8b05LjFKPvRhc2Eu

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Program crash 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3496
      • C:\Users\Admin\AppData\Local\Temp\2ec1e50eb7a857c277121df60ce270297942379f5902d6d6ff724c75b2c7d7e0.exe
        "C:\Users\Admin\AppData\Local\Temp\2ec1e50eb7a857c277121df60ce270297942379f5902d6d6ff724c75b2c7d7e0.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4452
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a659F.bat
          3⤵
            PID:1820
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4760
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2344
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3292
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 744
                4⤵
                • Program crash
                PID:4696
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 956
                4⤵
                • Program crash
                PID:812
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4760 -ip 4760
          1⤵
            PID:1656
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4760 -ip 4760
            1⤵
              PID:2692

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
              Filesize

              4.9MB

              MD5

              9c711d1788319c325cc0afead185403f

              SHA1

              f309665b8d100d6580d4caafbfb2ce1ae5dde3d9

              SHA256

              1b2dbc3c45e53572949e96fe4012163f76f617e603b38a34d1da1988cfca0a17

              SHA512

              1e4fab31ffc8da6252743f7cc76829ed81c91d026aa257e02e59c7c942604da9b20ca3058dfa063cfdc12213cfc47cc2cbc49f987c1fd0db44c318b49e016a3a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$a659F.bat
              Filesize

              722B

              MD5

              f04c43c4479860580e82db4c975fe24b

              SHA1

              7e3f775bcad1979f8df8103b9bc48c1dc8d84980

              SHA256

              c135cfac63ea2c72ecc36db8d5ac86aa17f4ac25bdf8d08c5ea6ed6171d2f237

              SHA512

              eb15f0d72232b7f96b9385ddfed7ab79fb0668bf20b57ff58be87d2f0def913f2321e64c93fa361d717c3d46a8d429095ce71efbbca56dcddef5d5817475f7bf

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\2ec1e50eb7a857c277121df60ce270297942379f5902d6d6ff724c75b2c7d7e0.exe.exe
              Filesize

              57B

              MD5

              fe5caf37c0b4607155add04f27bc07d9

              SHA1

              aca97217c0e43d8d9315a08f1843aef1b18c37ee

              SHA256

              b0b293dc8f146fdbba6f6e3a97e9845dbdf4b7aa96b4b74eb63b06653585750b

              SHA512

              30087f9dc3f692023a264d84df482b9f4cd40b0b0fbffa1516afa91f1c8dc0f47ce2a957e2df544e47184f9706542a58ae49f6cace6c834f576f699b31e8ae48

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              43KB

              MD5

              7dcba2547018dac956fb2009071b7645

              SHA1

              f42360ef36dd23d1ed1233022fdc194df3b274c5

              SHA256

              b1c7a31f00fab9fc58df21a8b17fbfcd09787260b4b576b8c2c3f6d9c58b83a5

              SHA512

              1f309fd880a182e2ad09256f861d608f4ee9f63acae9c9411f3a608f915f5960eb5bdc29d0e0fe4387514d847473910386f095781d598e93b634566cfdcea47e

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-4084619521-2220719027-1909462854-1000\_desktop.ini
              Filesize

              9B

              MD5

              2be02af4dacf3254e321ffba77f0b1c6

              SHA1

              d8349307ec08d45f2db9c9735bde8f13e27a551d

              SHA256

              766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

              SHA512

              57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

              Download Submit

            • memory/4452-0-0x0000000000400000-0x000000000044D000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4452-9-0x0000000000400000-0x000000000044D000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4760-10-0x0000000000400000-0x000000000044D000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4760-1506-0x0000000000400000-0x000000000044D000-memory.dmp

              Filesize

              308KB

              Download