Overview

overview

6

Static

static

3

964d40ff98...80.exe

windows7-x64

6

964d40ff98...80.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 20:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    964d40ff98d1cc0db6c03f15c676749981466b174c3f9cc3137bd7674f6e4b80.exe

  • Size

    29KB

  • MD5

    255da0237ae0305036f8b9a6219d1450

  • SHA1

    4c684f0bd0615af8f2a140273b4599cedeb24d85

  • SHA256

    964d40ff98d1cc0db6c03f15c676749981466b174c3f9cc3137bd7674f6e4b80

  • SHA512

    54a952da097c4c891be14ac2b46afb22f3e9b7ea057e2f1de7dca29e6c41118d98fc1633653771e05ef1fd77a205fcdc62f010c921dbdfd44df0b3ed199ef0c5

  • SSDEEP

    384:NbbU7HAR1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOnJh:p47+16GVRu1yK9fMnJG2V9dHS8

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3416
      • C:\Users\Admin\AppData\Local\Temp\964d40ff98d1cc0db6c03f15c676749981466b174c3f9cc3137bd7674f6e4b80.exe
        "C:\Users\Admin\AppData\Local\Temp\964d40ff98d1cc0db6c03f15c676749981466b174c3f9cc3137bd7674f6e4b80.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1296
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4008
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3500

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        a384103208a3f16d11a07818e23ad7b8

        SHA1

        7a731d3be497a563c24dbdfcd0b9f3fc44c66a9b

        SHA256

        f66e605e209f213567702b1ecdf179372e8bc4e80d29f43d727a8982a66b4494

        SHA512

        74e218537abdd9765ff8e7e9a060d8db1f6904641b4d503b54ea14edb4c6e35adc42e41bd67a077c9a9be17f4fe2bf332ed5ab6de50b2300b8b4c32c08198395

        Download Submit

      • C:\Program Files\dotnet\dotnet.exe
        Filesize

        173KB

        MD5

        86b68a90b4e7f785c93bba0ccc64e05d

        SHA1

        b902d4054469bcde10131f9042d201151396a21c

        SHA256

        8f95b3ed2742aa1f3cda75f953c7de27f29f0c7d43480b48fe631e4ab5bb9b8f

        SHA512

        46feeb44b0e7b83be0739c9a44617b55acf1ac5d9f11acee7314621fb4654c94c6919fd4560d9815989c439b6d38d05c94b749feb69a62787d6dc12d1ec0c5b7

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        639KB

        MD5

        b602f70091a0c6a0d7b7727dade6b4f8

        SHA1

        c002095057919beae600bcdf3e17f7999989298e

        SHA256

        33f3be06791be9e294a844867e24e8e7def486e7927a8c9baf2908a948accd0d

        SHA512

        a787b4347de7ba6f537f928d938cccb02af7e9f3e6133fe6ec53a7520dab55ee87b9f34821e343ee9ed4c396b53ae0d8ec93165a7ddb39ac8c8ae7edeec2d299

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-259785868-298165991-4178590326-1000\_desktop.ini
        Filesize

        9B

        MD5

        72b7e38c6ba037d117f32b55c07b1a9c

        SHA1

        35e2435e512e17ca2be885e17d75913f06b90361

        SHA256

        e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

        SHA512

        2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

        Download Submit

      • memory/1296-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1296-5-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1296-12-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1296-18-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1296-22-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1296-1212-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1296-4778-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1296-5217-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download