Overview

overview

7

Static

static

3

59b6322d43...1f.exe

windows7-x64

7

59b6322d43...1f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 04:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe

  • Size

    141KB

  • MD5

    07913768ba8671ed258c0cf4195c0a89

  • SHA1

    f570b01892ddd594ad6a1a5327cda9397da65af1

  • SHA256

    59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f

  • SHA512

    4e7fc118bb8552380afd447b6260b4e8d57741e13189e27b382101c61d7e8eda8030c54152e8eab1fe7b489f34a61d5e68a18beaa33eaa9ba9f865bbc219eafd

  • SSDEEP

    3072:EHj95SXqLhByvfc2KHj95SXqLhByvfc2v5dp9qdeQ+lUq58M:uj9N/Gfc2Uj9N/Gfc2hdp9qw3GqO

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 5 IoCs
  • Program crash 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3444
      • C:\Users\Admin\AppData\Local\Temp\59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
        "C:\Users\Admin\AppData\Local\Temp\59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4C1C.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Users\Admin\AppData\Local\Temp\59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
            "C:\Users\Admin\AppData\Local\Temp\59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:4976
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4E20.bat
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2440
              • C:\Users\Admin\AppData\Local\Temp\59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
                "C:\Users\Admin\AppData\Local\Temp\59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe"
                6⤵
                • Executes dropped EXE
                PID:1028
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2232
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4200
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2772
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1016
              4⤵
              • Program crash
              PID:2620
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2232 -ip 2232
        1⤵
          PID:3200

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\$$a4C1C.bat
          Filesize

          722B

          MD5

          eae570e28a750cb58d71e5f653129fbd

          SHA1

          e3674ba2b6227cba94fbe76716ed0aca4b8bf4af

          SHA256

          f0b422d5bed0d4c2b1537193d5cb3eb537116bc6fe4b6117a5915a6e5592a506

          SHA512

          8901eb50353101282feb278a97654d86e07823833bcdc95ad77d566c0e47a910585cec857ed7045b7e5889d23107b0c93691dc30c6d873690e60329b06bc1f9d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$$a4E20.bat
          Filesize

          722B

          MD5

          34e1127bbb4c1b6a4e01dbde7973e1f2

          SHA1

          25a609b8e1bf8e150c33c5eaa83d7bf74a965748

          SHA256

          06241e0dba4fa050aaf98d96505e16e777ed004be464694da6ffa29a01d319b5

          SHA512

          4565de144c831a65fc6660d730f3f095c18a39525e01783eff12d740cf7e79e2fae84e3aaa5db9441b56edcc07bda5ee8b66e6d394e2b9cb6547979d54913922

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe.exe
          Filesize

          97KB

          MD5

          9d3084010a05ce316da013e3b8f965db

          SHA1

          c0d1b45834945884574f9aff8925fb0aae671995

          SHA256

          58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280

          SHA512

          31eea46ee407c31f604ae3a4fe47bb1ecc333d36246b69d3e86318e879c3fa71e291948a29ebe72632ca1553daaf7db723efa78d828fbf301b2a4d11c32f282d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe.exe
          Filesize

          54KB

          MD5

          feaa33ff0acb74b3c0d033fb65006a8b

          SHA1

          c75b34d4eb1e0a8f36a6de9b97e98279216ece21

          SHA256

          e0f2b7fabc60ab10deb15ed61103d320071e054c603133a22a77ab28a2e6625c

          SHA512

          3451297e342714ba0d1910db69725481bcbc9943cb62a9294d523a7ccf966a7cf51b4c3ef3dfb241708081f4f295ad8f9da2051136ea9ec0e2c03851b33af128

          Download Submit

        • C:\Windows\Logo1_.exe
          Filesize

          43KB

          MD5

          7dcba2547018dac956fb2009071b7645

          SHA1

          f42360ef36dd23d1ed1233022fdc194df3b274c5

          SHA256

          b1c7a31f00fab9fc58df21a8b17fbfcd09787260b4b576b8c2c3f6d9c58b83a5

          SHA512

          1f309fd880a182e2ad09256f861d608f4ee9f63acae9c9411f3a608f915f5960eb5bdc29d0e0fe4387514d847473910386f095781d598e93b634566cfdcea47e

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-2288054676-1871194608-3559553667-1000\_desktop.ini
          Filesize

          9B

          MD5

          2be02af4dacf3254e321ffba77f0b1c6

          SHA1

          d8349307ec08d45f2db9c9735bde8f13e27a551d

          SHA256

          766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

          SHA512

          57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

          Download Submit

        • memory/1028-24-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2108-8-0x0000000000400000-0x000000000044D000-memory.dmp

          Filesize

          308KB

          Download

        • memory/2108-0-0x0000000000400000-0x000000000044D000-memory.dmp

          Filesize

          308KB

          Download

        • memory/2232-9-0x0000000000400000-0x000000000044D000-memory.dmp

          Filesize

          308KB

          Download

        • memory/2232-2668-0x0000000000400000-0x000000000044D000-memory.dmp

          Filesize

          308KB

          Download

        • memory/4976-20-0x0000000000400000-0x000000000044D000-memory.dmp

          Filesize

          308KB

          Download

        • memory/4976-16-0x0000000000400000-0x000000000044D000-memory.dmp

          Filesize

          308KB

          Download