Overview

overview

7

Static

static

3

814d52765b...21.exe

windows7-x64

7

814d52765b...21.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-05-2024 14:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe

  • Size

    819KB

  • MD5

    46d9c70b081f916a9e85bbe6f59c9840

  • SHA1

    f1e2fb1f9f6ebdbcd826fd945d0310c1bf8fe4b7

  • SHA256

    814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21

  • SHA512

    1beaf3e9c9e42a0789ef4d7ec0555dfb4a968f21530a639820be3dd808beec089903d0d714a11bb099b9deb0eba010f7e2271ce563d1bdeec7aa9edc9a30c32f

  • SSDEEP

    12288:d7+K/AwQ9izQ46IOwAyKm9vRlN3LUcqC0EWUl:d7L/AwQOdOwRVlN3L1qC0EFl

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3424
      • C:\Users\Admin\AppData\Local\Temp\814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe
        "C:\Users\Admin\AppData\Local\Temp\814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1868
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a323B.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3420
          • C:\Users\Admin\AppData\Local\Temp\814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe
            "C:\Users\Admin\AppData\Local\Temp\814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2636
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4200
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3080
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1340

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        Filesize

        244KB

        MD5

        a96d2d665e3b0345084f727cf367ba65

        SHA1

        6aa0e8c78beb22154460b839d47933fadf9f6840

        SHA256

        79e56b299a3ee2768564e93388be000abb42e36916f278ea92725ec1aa1afb9c

        SHA512

        2667a90a745bbf41465747377515dba944cf2611f09a20b72232e4ee419de9def143771ba95514c865747ff27c3fa5126c92faf767fa12e6ab8f80b7cc2fc81d

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        570KB

        MD5

        bcd293f05d8a5c7ba507aff1d5d3a26a

        SHA1

        86e7e55d68533ed4c0a5cc59c5d91a2a7e9d4dd8

        SHA256

        222d5d17cda00f812c787da9bac8e5ff613733b40769502e6283240f1cfb460a

        SHA512

        6870a3514ba0f746538428dc76dcfa21d85b68d701c20d440e63933b086dc3e4719ffdf24c8e10a2f6154d52b404edb4325eccb7f2d6514510334f0b38303e5b

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        636KB

        MD5

        6de1791996d651f3155ee087540c82cc

        SHA1

        34994156f2e73f83420a291d0aa9450412806f3c

        SHA256

        60f547c04735a2be00ad11512cefdc7dd07fa92877c74333e614eb7e0ea39953

        SHA512

        532aec603381095de5847384937a2076a8b93b20b04fb26f75fb5aef29be711a0b0a8f9d9506a5c05b848802b0d70c675c7360d30815a129b16a069cfaf74bb4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a323B.bat
        Filesize

        722B

        MD5

        3c8e9f743492af94e0b1c54c5138c678

        SHA1

        07bf8c2281e694094ca0f1e38ff25c7d34ed6b72

        SHA256

        6c20540718dfc9e845a8b6644ed5c603e12e538044902bd287769a860de1fc11

        SHA512

        c7a6752ca5373d44b9c77b7980454083ec0b4cb19ab9b781200b191f64d0f554315ee76f26db4378022fd2199f17a7a7ea2b68907c69c28422bca599aeecfdfd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe.exe
        Filesize

        793KB

        MD5

        9209338186015547dc9cd90258da09e4

        SHA1

        a6f17d98b85ae07d2962296a25a9e04f35463dae

        SHA256

        6be35fe8543aecfe21ece4a1077373a760e6d22012b32fb19a7a53ef15445b3d

        SHA512

        d7fb31b050dfa7bf31bcdf35650076ba431aca2af293efa0ff85936c387ed70eacb05820b796130b8d7e35307b7a217c1b4eed20298e1c53ed272f19c37855db

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        bfb8bc503f044a45669e6b3df91ea121

        SHA1

        eb1e96b8f1744f71bfad4ef4bde77b71d43d3cb8

        SHA256

        79d9366d8727a8f9c3d255baea4624409cca59b9992740cc97f725cea8099619

        SHA512

        0862bef39adbd801aa283b3d0ab21129836b96c3753bcd79273b0b786f64ce81547a0fe9d5cbe17bc30200ed5f1c707b82aee8894958e09235e029b365cfcd8a

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-877519540-908060166-1852957295-1000\_desktop.ini
        Filesize

        8B

        MD5

        0282826728a8bfe9c3f290391e4f323c

        SHA1

        ab69946ecc2824015e04a669b8434e8eb2a658aa

        SHA256

        0c3ddb95f5308286721e2d55c16a3170674b54fc8d17c1f02bee1b6850ce2ee9

        SHA512

        fde2cb3a9b14fa79fdb7615c094a85aee3baf100511872c0b3986349edefe5a2dc4513929587852c1672e9632c8a6c95284fab82397133dec597bb8fe618fb0e

        Download Submit

      • memory/1868-10-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1868-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4200-27-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4200-37-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4200-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4200-1237-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4200-20-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4200-4801-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4200-11-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4200-5264-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download