Overview

overview

7

Static

static

3

c3a2836825...27.exe

windows7-x64

7

c3a2836825...27.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-04-2024 00:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c3a2836825a73f58036ed7aab5f53860ed1670b6135358672b7bfc8a47946d27.exe

  • Size

    225KB

  • MD5

    31e3c783b118d2bb339539328407841b

  • SHA1

    d4c169061171f25f6b0085a71bf89f31db3b688e

  • SHA256

    c3a2836825a73f58036ed7aab5f53860ed1670b6135358672b7bfc8a47946d27

  • SHA512

    19ff0fe3e7f0112d8e77982e36fa879eec013ceb3468a43ec1010edccf7d01fa0d26fbcf3653ec8e3cff3dbf4588c0798f46872048f9b8ada1182e3f5f09bbd7

  • SSDEEP

    3072:PkF3pkdeKzC/lzMPySe8DnpeIPipoHbKvXWXz9LRnsaJUS+6wPXD3fxNW7gq5yGP:cFpkdeKzC/leySe8AIqpoHbnDns1ND9m

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3164
      • C:\Users\Admin\AppData\Local\Temp\c3a2836825a73f58036ed7aab5f53860ed1670b6135358672b7bfc8a47946d27.exe
        "C:\Users\Admin\AppData\Local\Temp\c3a2836825a73f58036ed7aab5f53860ed1670b6135358672b7bfc8a47946d27.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2236
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFFDC.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1840
          • C:\Users\Admin\AppData\Local\Temp\c3a2836825a73f58036ed7aab5f53860ed1670b6135358672b7bfc8a47946d27.exe
            "C:\Users\Admin\AppData\Local\Temp\c3a2836825a73f58036ed7aab5f53860ed1670b6135358672b7bfc8a47946d27.exe"
            4⤵
            • Executes dropped EXE
            PID:3196
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4160
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4748
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1140
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:2352

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7z.exe
          Filesize

          571KB

          MD5

          0ed4176fe2feddbdb961cbad30b08e0d

          SHA1

          fdb9832eac1b65f314a49feb6084ead891e73edc

          SHA256

          90af27849555b3f75791e7753568b82ba29eab9df1c925b8264fcc985a1ddea3

          SHA512

          db41e7f9eadae30aa4858a8b0a91cf7ad289aefc10aa7850de128a40b4dd1c2de97958579b757d077a04aae033695dac106c2d8b060d61812fa9f4c515ba06bb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$$aFFDC.bat
          Filesize

          722B

          MD5

          71f360d48cd2e746d6d7d53310c4da40

          SHA1

          72d141124fae81fb7ec98866f3e69d1f1d137fbd

          SHA256

          cb1ee3a5abba19c8b30f9c504f538e92bcaab9b27bd2a46cdb2695710a4fdbf8

          SHA512

          aa817c74047ef68982f8653e0a4582a2c2f8e2791a23bda8bbf2dead7c457797bb8ae4be74065a7a31cee304931345259b9a6fb9ba0172952eb7e50062ce906c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\c3a2836825a73f58036ed7aab5f53860ed1670b6135358672b7bfc8a47946d27.exe.exe
          Filesize

          198KB

          MD5

          e133c2d85cff4edd7fe8e8f0f8be6cdb

          SHA1

          b8269209ebb6fe44bc50dab35f97b0ae244701b4

          SHA256

          6c5e7d9c81a409e67c143cd3aed33bddc3967fa4c9ab3b98560b7d3bf57d093d

          SHA512

          701b7d1c7e154519d77043f7de09d60c1ff76c95f820fc1c9afca19724efb0847d646686053354156fd4e8a9dab1f29a79d3223f939a3ff1b3613770dc8603b1

          Download Submit

        • C:\Windows\Logo1_.exe
          Filesize

          27KB

          MD5

          f271a5c31f4555375a10ed8645deb2a4

          SHA1

          36727cdfd2f24650bb2cfcb73da536df0c02de07

          SHA256

          182366e152470e5121fbf62cf437b30765914785831160c7d42e580b4b8e0764

          SHA512

          332b4a02e592195b164bbff884fff650ba6df2903e04a0251dad569f072f6fd6847fbba417cdbe80a0f968421f334f53600ecf26de993193c1e7c56cacdb1112

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini
          Filesize

          9B

          MD5

          5e45e0c42537212b4bfef35112ec91ba

          SHA1

          10c59c091fd35facc82bbc96938f118ce5a60546

          SHA256

          9f6b7a83161db36757e96dc40936aec1e5a9a41f9fca089f9cf5a4d695dd5ed5

          SHA512

          ee964e08687daa53fdc8e063402791acb104bd59f5d0f8a6d11d3e889db476315641c38032ade4177cd794b060f9fc4e6fd161989e452aae828c875c747e4bfb

          Download Submit

        • memory/2236-12-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2236-0-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4160-33-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4160-19-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4160-26-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4160-37-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4160-42-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4160-9-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4160-71-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4160-1015-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4160-1016-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4160-1183-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download