Overview

overview

7

Static

static

3

a4d8764632...f0.exe

windows7-x64

7

a4d8764632...f0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2024 15:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4d8764632028e7fe0def6618ba40ab05f03a6e5cb938634050060d29a8160f0.exe

  • Size

    86KB

  • MD5

    270f99c59ac69d51228d887529a25975

  • SHA1

    0e8f10b03943fd1f71ae09e90978c6072d14d2a9

  • SHA256

    a4d8764632028e7fe0def6618ba40ab05f03a6e5cb938634050060d29a8160f0

  • SHA512

    f668d302e7103012a9fe34284e55d1f966da37d12fe00ef22ba9acc2b7f3094be297749dd126e6d8b3bcf15c6327da19b5504e09c8fcb8e30104657e748c83f5

  • SSDEEP

    1536:93SHmLKarIpYMyapmebn4ddJZeY86iLflLJYEIs67rxo:9kF3psLK4ddJMY86ipmns6S

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3340
      • C:\Users\Admin\AppData\Local\Temp\a4d8764632028e7fe0def6618ba40ab05f03a6e5cb938634050060d29a8160f0.exe
        "C:\Users\Admin\AppData\Local\Temp\a4d8764632028e7fe0def6618ba40ab05f03a6e5cb938634050060d29a8160f0.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3388
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3662.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1176
          • C:\Users\Admin\AppData\Local\Temp\a4d8764632028e7fe0def6618ba40ab05f03a6e5cb938634050060d29a8160f0.exe
            "C:\Users\Admin\AppData\Local\Temp\a4d8764632028e7fe0def6618ba40ab05f03a6e5cb938634050060d29a8160f0.exe"
            4⤵
            • Executes dropped EXE
            PID:5068
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4240
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1572
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:512

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        571KB

        MD5

        37a190464ed97f82d4a475369defe8bd

        SHA1

        58e08a5e82c97119cbb6a29e4fe4742a47b1e212

        SHA256

        47f4d879187a5923a1db2f8b2eddc317e7bd18a53fe45930672ea725fb9a7d28

        SHA512

        6fab0042a66e63481afd37c9a649a5bd6d1985a6d1a520ca2e3026614b53652e6c9b930c743e93e78f572790747e145359bd0a5d11ea8897667b7d5c00896974

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        637KB

        MD5

        9cba1e86016b20490fff38fb45ff4963

        SHA1

        378720d36869d50d06e9ffeef87488fbc2a8c8f7

        SHA256

        a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19

        SHA512

        2f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a3662.bat
        Filesize

        722B

        MD5

        489403df05018b67839564834b376563

        SHA1

        5ca5f1b87493403f48580c6de5686438d71b9643

        SHA256

        613b81e66a9accccb16f51968324873dd484ab055a614746a18c3c1284cdba5b

        SHA512

        5c575d728ade60adf25704ae9419b144e05b335cfaa1a73c7e01a7356b01385267d4fa9b83983b0b08e5e66c4eb161ada67d7d0be021eeb920b3262fe5c0a6ba

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\a4d8764632028e7fe0def6618ba40ab05f03a6e5cb938634050060d29a8160f0.exe.exe
        Filesize

        59KB

        MD5

        dfc18f7068913dde25742b856788d7ca

        SHA1

        cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

        SHA256

        ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

        SHA512

        d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        27KB

        MD5

        94102a9e5ae6a399fff46c507c36468d

        SHA1

        fdada823d5206b39a411726891aed00ec96a0316

        SHA256

        9a126829d3a4978c4d21a0033a903921f4557e5a8c2ead98138f9506e17c6bb9

        SHA512

        a01afbdbdc1c71b90af7e85dbc9cef58516ae504b78c219e71212df1e97f236c840c97dfa5cd448d04c084a8212cd13f42b2eb680ec5703a4404aa4e54df80bb

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1132431369-515282257-1998160155-1000\_desktop.ini
        Filesize

        9B

        MD5

        7ef570b2b21e58fd906ef1a980d64425

        SHA1

        18502489f652e74f8972bbfa100d5c163d719ab7

        SHA256

        c3ce1b9216b58ac7d9ed3b93e5e3a1d6a2473b53b5bc1f008a621def49517055

        SHA512

        e1175d861a79d62b85cd18661375f1c956dcc97e958765dc225f3aa4b0f0100ca9e17b9c61f5e18fc2a96e5167c0563f60645033aff1be1ec2f372c1b9a8b35f

        Download Submit

      • memory/3388-0-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3388-9-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/4240-26-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/4240-32-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/4240-36-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/4240-19-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/4240-1226-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/4240-4792-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/4240-12-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/4240-5231-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download