Overview

overview

6

Static

static

3

eb1455ac4f...d2.exe

windows7-x64

6

eb1455ac4f...d2.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    151s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2024 02:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb1455ac4f56a967b88b511299b4e4b427b10357679358571f24d49fb1e01fd2.exe

  • Size

    26KB

  • MD5

    3f2d3014196588ffc6fc985863a505d5

  • SHA1

    cd523f7c44dc62e45c5df5c60f732b1c4ecb661e

  • SHA256

    eb1455ac4f56a967b88b511299b4e4b427b10357679358571f24d49fb1e01fd2

  • SHA512

    c22ec9c25a5ff334d53a725981466df13b82afd6a6d02b2eb3e84a07672ee5ccd461e2f8df8f3751fef7c8fcd0adb39b62f76b0f4730e0c143a3fcb0e5235887

  • SSDEEP

    768:yo1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoZw:ZfgLdQAQfcfymN

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3316
      • C:\Users\Admin\AppData\Local\Temp\eb1455ac4f56a967b88b511299b4e4b427b10357679358571f24d49fb1e01fd2.exe
        "C:\Users\Admin\AppData\Local\Temp\eb1455ac4f56a967b88b511299b4e4b427b10357679358571f24d49fb1e01fd2.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3212
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1764
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:1016

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\dotnet\dotnet.exe
          Filesize

          165KB

          MD5

          5fdec5bded45e9b50e1526e5f43e4597

          SHA1

          3c9bf070ee9a90eaaf2f6e4dde4c1227f70ca4e5

          SHA256

          cb7ed73d835a7205b37eb2956ee9b9d8ac8e40cf34dc6cb114ea63639935ff18

          SHA512

          3b19172089d908449517bd3bb02edfd3cbead235382ec6d518de08b2a0bd0e0d7d86718540cba31793bd7dae0fd365244c50415186ca0742fae6522a162893e3

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini
          Filesize

          9B

          MD5

          7ef570b2b21e58fd906ef1a980d64425

          SHA1

          18502489f652e74f8972bbfa100d5c163d719ab7

          SHA256

          c3ce1b9216b58ac7d9ed3b93e5e3a1d6a2473b53b5bc1f008a621def49517055

          SHA512

          e1175d861a79d62b85cd18661375f1c956dcc97e958765dc225f3aa4b0f0100ca9e17b9c61f5e18fc2a96e5167c0563f60645033aff1be1ec2f372c1b9a8b35f

          Download Submit

        • memory/1836-0-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1836-5-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1836-13-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1836-19-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1836-24-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1836-28-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1836-276-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1836-1002-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1836-1169-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download