Overview

overview

6

Static

static

3

a1c4765489...30.exe

windows7-x64

6

a1c4765489...30.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 14:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1c47654896d7c78937bf82083af325d1eb007deee89830ad78d48659e9e6730.exe

  • Size

    26KB

  • MD5

    f6bc7ff37e4968ed377720ee5e275f9f

  • SHA1

    2ac8d03270bd7acf83191669d7e60f4e640452a7

  • SHA256

    a1c47654896d7c78937bf82083af325d1eb007deee89830ad78d48659e9e6730

  • SHA512

    7495c95835c25472b619cea2f303c3a66be88e0967a715df151379f31a30bda2c4392c845bba78eaed939197e080d70decf01222c58ed0ab6fe4c2dd62bf95db

  • SSDEEP

    768:y1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoGwXnKx:UfgLdQAQfcfymNG+Kx

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3264
      • C:\Users\Admin\AppData\Local\Temp\a1c47654896d7c78937bf82083af325d1eb007deee89830ad78d48659e9e6730.exe
        "C:\Users\Admin\AppData\Local\Temp\a1c47654896d7c78937bf82083af325d1eb007deee89830ad78d48659e9e6730.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:876
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5016
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2576

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        03f2b0baf58ba658d3a68c3a410c7103

        SHA1

        aeea14914f27c7b4d962caeb90e9dfadde1fffab

        SHA256

        895644b779b1d449613044a4f5f7da13ce5bebbda58d97961cbb7d1f18d95c40

        SHA512

        efc74a220ab91fe06331ac388149cad22d88f12aae2e3d601f00570dde02d06c61421285608a48287e8f688ad1112cce57e287f8d87700fd59d4f162a946f706

        Download Submit

      • C:\Program Files\dotnet\dotnet.exe
        Filesize

        170KB

        MD5

        6eddfdafa8767bcc4eb918f3d44a4ead

        SHA1

        cde1466e68ff4eb3a7dcfb10a62ae70d58f42607

        SHA256

        399cd519fd5e0fb18be2686df2586b4d752378ed59484f21e45e34d73bf2d829

        SHA512

        5edbc2215b4bb0173ee4252e16b607dfcb1e960a3d0833d09a909bea59d048c0d554c740e56c9d169dbbbc9ce6997766c8f618e8588e8531dd052a3b3a114acc

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        636KB

        MD5

        7c0581e2c34a99e0e6b7b63deb7540d8

        SHA1

        2ad688b178321284f2eab56ad02ef1d32e7ea46f

        SHA256

        200d8896a4cf3d442567696ff425b2aeca8b87428173337c4f5b9022ae0d6ab0

        SHA512

        4e65033131dd98ef1eb39d5da1c3a92b8d4c3ca083edb3db7bf9f555e57285f9f5c63bdc4d24cc5aa63312edd216ebc74c0a7f74ed38783e27998a2c013a496e

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2177723727-746291240-1644359950-1000\_desktop.ini
        Filesize

        9B

        MD5

        72b7e38c6ba037d117f32b55c07b1a9c

        SHA1

        35e2435e512e17ca2be885e17d75913f06b90361

        SHA256

        e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

        SHA512

        2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

        Download Submit

      • memory/876-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/876-5-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/876-12-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/876-18-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/876-22-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/876-1212-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/876-4780-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/876-5219-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download