Overview

overview

6

Static

static

3

7d6bc16ad2...06.exe

windows7-x64

6

7d6bc16ad2...06.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2024, 07:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d6bc16ad22467f54bcd248dd4a4e7c6f5f11f7b84c04865f45d4dd2ab1ea406.exe

  • Size

    26KB

  • MD5

    eda47d85eb510a2d8971be2b41b00958

  • SHA1

    00fe13d26675d1b2a7d9c16928a219652b79f6a1

  • SHA256

    7d6bc16ad22467f54bcd248dd4a4e7c6f5f11f7b84c04865f45d4dd2ab1ea406

  • SHA512

    db540ade930a690066d8d5e4d823a17df70b0bea3428f5cd99b3b21c734238dbb7ecab26267606695bd3bece1ab60edc062384a924419981ae068e673d810ae7

  • SSDEEP

    768:RHkN1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:ifgLdQAQfcfymN

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3512
      • C:\Users\Admin\AppData\Local\Temp\7d6bc16ad22467f54bcd248dd4a4e7c6f5f11f7b84c04865f45d4dd2ab1ea406.exe
        "C:\Users\Admin\AppData\Local\Temp\7d6bc16ad22467f54bcd248dd4a4e7c6f5f11f7b84c04865f45d4dd2ab1ea406.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4176
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2872
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2916

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        0c9e9b8bd427bd7f6424e9ad00253316

        SHA1

        59b25bade3382d38b2169ec9d668aef20fb6dd30

        SHA256

        323872c922edaea2a4aac63b429596e97ee6dc91c377417d8f66bf97e0afa723

        SHA512

        bc5d7ef18ee3afc1a810d81afaf2bd85c3516424c1bbe91072dcc41e052b0a1fabf41afe4928b43b2b1e0e0a82319eb6044f0f1faee0d5203cba0d41bfaac999

        Download Submit

      • C:\Program Files\dotnet\dotnet.exe
        Filesize

        170KB

        MD5

        bbb01d5c07a187a3fc47fa70d6a0ab08

        SHA1

        3c49ba40e1f5aa9e404320bcb6e3192e2ed640fd

        SHA256

        721204c1c0150ced9d4dc034e21a8b500043dd6d74c315eddc7e4a40152ba6be

        SHA512

        75853e778d176c6cd460ff0ed6bec5f060ef256196b9c89a5dd6e5c21d643fa446390d9e517f9edb37cb21875210ad55543a5ea2a06ceaaac5013be07d89d5ee

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        636KB

        MD5

        2500f702e2b9632127c14e4eaae5d424

        SHA1

        8726fef12958265214eeb58001c995629834b13a

        SHA256

        82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

        SHA512

        f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1826666146-2574340311-1877551059-1000\_desktop.ini
        Filesize

        9B

        MD5

        c59aab012a570d8b20f60efcafb272be

        SHA1

        709df64d9a23340c6bc42f2bf8dfdca512bff2e0

        SHA256

        8a349242c7461f8fccc029421cd051ef8f140a8e3738d348a2354a3d5b9de220

        SHA512

        8c3f67dc02beaca59f0deaa4d8e33bc385b19df02d2a8b905b47148e21919f7d059f3883f02dad25a0d11dc807343390114753a7918171720d8cd72e84239e17

        Download Submit

      • memory/4176-12-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4176-22-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4176-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4176-889-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4176-1213-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4176-3234-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4176-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4176-4779-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4176-5-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4176-5218-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download