Overview

overview

7

Static

static

3

c6d0563e34...70.exe

windows7-x64

7

c6d0563e34...70.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/04/2024, 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe

  • Size

    959KB

  • MD5

    75020494537a2bdb2943882d40dd8195

  • SHA1

    c12e379e368a2f16d734187a5a93f34dcd841f68

  • SHA256

    c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70

  • SHA512

    dbc5c283e2abe941c1c7333abb5d426c22c4066b4072cd8fab26875b1267dec2256263ebff3117d0b3123d05d156b8c583e0169beb1afb5e42561d3821ffb7b1

  • SSDEEP

    12288:dRKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:aBpDRmi78gkPXlyo0G/jr

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3464
      • C:\Users\Admin\AppData\Local\Temp\c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe
        "C:\Users\Admin\AppData\Local\Temp\c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4492
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a345E.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2568
          • C:\Users\Admin\AppData\Local\Temp\c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe
            "C:\Users\Admin\AppData\Local\Temp\c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:4444
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3164
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1916
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:620

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        Filesize

        247KB

        MD5

        c879677f1e9cb2e60e9cb5324c0c75a2

        SHA1

        c417daa774a472027bd1d5eaed3153ea6943c905

        SHA256

        95e4e0c19c274fdd5856cd2947c6f2d19376c64091dcc8f02c5db8f271d699ca

        SHA512

        fb2dbbd66bde3909e051a7926032ada86e3713cba16c08e4979253de833d33d67271f8e7c3ccb1a1d88668bd02a9705d9f6bd7477b1ec229f98f5710502ab145

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        573KB

        MD5

        ab7e4ffd7e83522ba7ee00bb98b3d958

        SHA1

        153d87d440c02ef0be986ce7101b08fcad77ed03

        SHA256

        324238cc51d3ad02a664f467c4bd8cc1ecdfa8636b6209e7f9092bb16ff2808d

        SHA512

        91592528cef6f28132db8a63ebc1f4d3eec318affe5c1606a1701bda315527ed5c807c2bf7152f5503433a9a29dddf7e6bc34b71c416e1cbc90818f0ef93833b

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        639KB

        MD5

        73b84e696764a6109051d306b9e13984

        SHA1

        4649e99be02adfdd0d844013b3bc61be85ae28bf

        SHA256

        ab5e87fc7a7d616a677f0a69f1eb858322f1c14defa4ea04b9fd05f0c7e166de

        SHA512

        1692b47b0f9743a6160134849323e518f5f7689edf8b8bae17385354d034b307c29a0793652ed89c7a6df6e8fd21d59525620ed6176542bd8607e9938788b680

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a345E.bat
        Filesize

        722B

        MD5

        8f820d696f1c3ab6ac1044de95a38cb2

        SHA1

        972dafcb75b9b93ff713f58855218decffac2e06

        SHA256

        ce91ebd9db7b28a41220f025615aa5de2989352eafa60fb43711d3dca02f237f

        SHA512

        b57cd7c47c858870f4a2ea33efc7ff8ddfac425d3e532ab96927181edde68f9b621551933b05c88783e34082501e8bb3ea7964391a4a2f270323c26b95bb50a4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe.exe
        Filesize

        930KB

        MD5

        30ac0b832d75598fb3ec37b6f2a8c86a

        SHA1

        6f47dbfd6ff36df7ba581a4cef024da527dc3046

        SHA256

        1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

        SHA512

        505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        03973cef2ce9ef838925b809f4642c92

        SHA1

        f12bf865a7e4a89996ed0e75b92999af0fc55cc6

        SHA256

        60c5eaa615c1089024b316e63ea3e2430bc32be662c8936ffee89b2b0e6b711b

        SHA512

        a1466e20bdf93aed87c7a5edaef24165e07a3d6f833cc5953e2c61b674b48f1a4432eaf9f2694851543d7845bef862e0ae50f89ea86ce981863106f197a9482d

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-877519540-908060166-1852957295-1000\_desktop.ini
        Filesize

        9B

        MD5

        73b8aef84e892e3f77d41747dce253db

        SHA1

        d642a92c96e4ed570d998a73e42fc24fafe8caf9

        SHA256

        a81f7465f537233bbd4b8fa9034e52a8ceffcdf97bf36244c4d404ebec14eb24

        SHA512

        9b0690efee220355932375db333b5487c369ca9fdcf8497bcb5283d78d21fb4fefb7c06bbe533fb1f18fd3b32256a013090af6dd957b9d09cc373d0d5b89cf6d

        Download Submit

      • memory/3164-26-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3164-32-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3164-36-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3164-19-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3164-1236-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3164-4800-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3164-8-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3164-5263-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4492-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4492-9-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download