Overview

overview

7

Static

static

3

649e69d6b5...ee.exe

windows7-x64

7

649e69d6b5...ee.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2024 02:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    649e69d6b58510d2ed608994c599c6ad81551023d79abb351554f964186e24ee.exe

  • Size

    453KB

  • MD5

    2ce6707bc6119085e6be4848bfb0c1de

  • SHA1

    3c9b3987c9e1db40a35c4f4032ee68eb5fd3bd4d

  • SHA256

    649e69d6b58510d2ed608994c599c6ad81551023d79abb351554f964186e24ee

  • SHA512

    c12a6e4c82d84f75919d4ab65d795fa13bec5b23dafcc2840af3ab317563424363dda36112390a2b7869b0821c055037438da52e6ea7120bc56f711691af9c07

  • SSDEEP

    6144:4uJJUTxxIXB0iS0GaYApLhTrKUfdOtvHtKrr4Kdyj7XKUTa8m23d7KJqKWMJcjof:PUtNL8YcL5YHaI7XHgZQKhJgeCmdN

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3476
      • C:\Users\Admin\AppData\Local\Temp\649e69d6b58510d2ed608994c599c6ad81551023d79abb351554f964186e24ee.exe
        "C:\Users\Admin\AppData\Local\Temp\649e69d6b58510d2ed608994c599c6ad81551023d79abb351554f964186e24ee.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4968
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a51C9.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2064
          • C:\Users\Admin\AppData\Local\Temp\649e69d6b58510d2ed608994c599c6ad81551023d79abb351554f964186e24ee.exe
            "C:\Users\Admin\AppData\Local\Temp\649e69d6b58510d2ed608994c599c6ad81551023d79abb351554f964186e24ee.exe"
            4⤵
            • Executes dropped EXE
            PID:2100
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2980
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3460
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:540

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        31b58266e648b3ce129dbb398da4eb8d

        SHA1

        3fef7bf9dc3e9a9cbeb336f961122328e98728b0

        SHA256

        f7ff76094663c11af4a4849043227d365924ab84b94b2bbcb533a87f20ccff58

        SHA512

        f9dd0e0cebdeb060f238d071672c2f6aa808eaebce5c8ff016c90ca6d74b35467e86596e7fba8d2b2b37b8f90a650cad74530e024d1b6ff717a308393ab1e334

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        573KB

        MD5

        3888ffddbafbbba14619f7feb8539dff

        SHA1

        f51bf92ee7697f5e93dcb946e35962d48482faef

        SHA256

        68266f939fe4989bf6c860d512f01f0610a8d0978379a4e3cee18b309a189bf8

        SHA512

        2bd5374aee1f24205c74ebe97f4dd7a281f67227447a6b84e58e900f3e8dadce0fcb95c47a27648a7630d7eb53e758d6edb590a20fab7667fca442438f1f7271

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        639KB

        MD5

        c8d281da4c32df16eef470c27c8cb459

        SHA1

        00efc9f6844bfaa37c264b6452c6a7356638ab10

        SHA256

        058c81e5a07f2c6c33cf28dff71d07ad8f179046108d945159957e891bfd9c62

        SHA512

        e3c79e19f620068f668d4ebaa5097f1a95a30dabb8dce75f3787171dddbea9f684fc7ce8d1011a398f38084d7af96dd1ff9a02d25906aab9b13861b8363d24bb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a51C9.bat
        Filesize

        722B

        MD5

        969220e4a0ed3f43ecf27bbb805c5e2c

        SHA1

        4b56f5d9adaaf6716619347330bbc4c9c6413b35

        SHA256

        70872926034254c4c69c965ed24e6c42ff23e55cd8a62716f05a00d8ffbbc681

        SHA512

        51482f4c294d77d77ae13f329566a71c4583443aebf32eaa8dbd409812ed0ed3a4757c954a5b6c22b0866fc9c907ef4af55f3392269145a14985c92f02b529d6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\649e69d6b58510d2ed608994c599c6ad81551023d79abb351554f964186e24ee.exe.exe
        Filesize

        424KB

        MD5

        29e177c7bb7343f365f12ad9a8af4c48

        SHA1

        116569c0e97853f01a2bd1c2c8b5a9c0c8e1c6b3

        SHA256

        197fc8bbd50333cde901ca625937407b6c11a393d019dfe56fcee17719f1053c

        SHA512

        635777358e113ca2abcd2a301d50cb8dacfd48d1055dee6060fe2b38b3106e172ce828169385762936a23782ee6d5e6b10b607183576de4dbea1e3c20ec802f3

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        bc2a08f1fe0430eb261fa12807b391db

        SHA1

        cfc8edda8d2a0eb6677468da30013b8c54a7a37c

        SHA256

        7e2c164ef33df9f9c8d4493d7ba3ddffeb8d6a9a6363a76334472f52feb3f5bc

        SHA512

        36419d572cc6e7f08c401dde59233bb4d50939c1471147572f11f1a4896eeb5a89228a945eb43d94fe0a6c44775a16c3b2f1c49691275d814f86105a1a346a49

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2288054676-1871194608-3559553667-1000\_desktop.ini
        Filesize

        9B

        MD5

        7ef570b2b21e58fd906ef1a980d64425

        SHA1

        18502489f652e74f8972bbfa100d5c163d719ab7

        SHA256

        c3ce1b9216b58ac7d9ed3b93e5e3a1d6a2473b53b5bc1f008a621def49517055

        SHA512

        e1175d861a79d62b85cd18661375f1c956dcc97e958765dc225f3aa4b0f0100ca9e17b9c61f5e18fc2a96e5167c0563f60645033aff1be1ec2f372c1b9a8b35f

        Download Submit

      • memory/2980-26-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2980-33-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2980-36-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2980-19-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2980-1227-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2980-4792-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2980-8-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2980-5237-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4968-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4968-10-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download