cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe
Size

1.5MB
MD5

6af1015805cee45d24566eee7431103c
SHA1

e4b02689e876cf59a0b93fa9b32d410fd89b4cea
SHA256

cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8
SHA512

fa6555e53a9ba85747d3926de2fdc7e132635597c75b4e7f7004917eb6ff7cfa50d4c0c71a978582153584c0615bdfefbcaef151a83abce2a0470baec94411a7
SSDEEP

24576:I062cSEk8zN/E/F7KcdIw+80zIGwTxgLUX6JyzARFErCX1maX5Vwn9+P7k9:r6PaFF7KcdIw+8UPyaLUXe/bI9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

360update.exe

pid process

2492 360update.exe

Loads dropped DLL 2 IoCs

Processes:

cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe

pid	process
2208	cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe
2208	cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

360update.exe

pid	process
2492	360update.exe
2492	360update.exe
2492	360update.exe
2492	360update.exe
2492	360update.exe
2492	360update.exe
2492	360update.exe
2492	360update.exe
2492	360update.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

360update.exe

description pid process

Token: SeShutdownPrivilege 2492 360update.exe
Token: SeShutdownPrivilege 2492 360update.exe

description	pid	process
Token: SeShutdownPrivilege	2492	360update.exe
Token: SeShutdownPrivilege	2492	360update.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe

description	pid	process	target process
PID 2208 wrote to memory of 2492	2208	cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe	360update.exe
PID 2208 wrote to memory of 2492	2208	cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe	360update.exe
PID 2208 wrote to memory of 2492	2208	cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe	360update.exe
PID 2208 wrote to memory of 2492	2208	cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe	360update.exe

C:\Users\Admin\AppData\Local\Temp\cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe
"C:\Users\Admin\AppData\Local\Temp\cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\Temp\360update.exe
"C:\Windows\Temp\360update.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Temp\360update.exe

Filesize
2.7MB

MD5
5b6af1b2deba7f9b7b154799d0d3b54a

SHA1
25650a8d7e9c4830e3f0837e8139721b289993b7

SHA256
8b7fdc3f0a18ceec91dc327896fe69032b1d5270cb044e8e55cf077ef46ee23f

SHA512
85d4c8b063694f5eba1e3430ecb56c168d81f34a060d97a70c985132994455ae3c57c65a864f5418ed7cff460f7aaf8903c4e9d6d0c679e7c95ff782a75bbfd7

Download Submit
memory/2208-12-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download