Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 02:36
Static task
static1
Behavioral task
behavioral1
Sample
CH341SER.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
CH341SER.exe
Resource
win10v2004-20240508-en
General
-
Target
CH341SER.exe
-
Size
642KB
-
MD5
31d825e7d64fe4c4d8ad3ded5f62b6a4
-
SHA1
65c980145d8a0f268da77a37455c9f1f48092678
-
SHA256
74d12019023390d27739625773005ecccf1bc6c4547e0c46088e86665e519524
-
SHA512
5b56856a41ed14d3cd9fcff04cf835ff011a0157c29d92e23666dda9f8f3e45c2c9eddea3190c750c37674a780d5e2f2d40e79cfe4d88a288067f7d8960bb51d
-
SSDEEP
12288:Uzy6rRxELZcxtT8Wpq24aivyR1DAqNIZbgxHaPa36+Cg:n6rTyZAb4aTDwbF66tg
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
SETUP.EXEDRVSETUP64.EXEpid process 2608 SETUP.EXE 2964 DRVSETUP64.EXE 1176 -
Loads dropped DLL 2 IoCs
Processes:
CH341SER.exeSETUP.EXEpid process 2868 CH341SER.exe 2608 SETUP.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
DRVSETUP64.EXEpid process 2964 DRVSETUP64.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
CH341SER.exeSETUP.EXEdescription pid process target process PID 2868 wrote to memory of 2608 2868 CH341SER.exe SETUP.EXE PID 2868 wrote to memory of 2608 2868 CH341SER.exe SETUP.EXE PID 2868 wrote to memory of 2608 2868 CH341SER.exe SETUP.EXE PID 2868 wrote to memory of 2608 2868 CH341SER.exe SETUP.EXE PID 2868 wrote to memory of 2608 2868 CH341SER.exe SETUP.EXE PID 2868 wrote to memory of 2608 2868 CH341SER.exe SETUP.EXE PID 2868 wrote to memory of 2608 2868 CH341SER.exe SETUP.EXE PID 2608 wrote to memory of 2964 2608 SETUP.EXE DRVSETUP64.EXE PID 2608 wrote to memory of 2964 2608 SETUP.EXE DRVSETUP64.EXE PID 2608 wrote to memory of 2964 2608 SETUP.EXE DRVSETUP64.EXE PID 2608 wrote to memory of 2964 2608 SETUP.EXE DRVSETUP64.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\CH341SER.exe"C:\Users\Admin\AppData\Local\Temp\CH341SER.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\WCH.CN\CH341SER\SETUP.EXE"C:\WCH.CN\CH341SER\SETUP.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.EXEC:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.EXE3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WCH.CN\CH341SER\CH341SER.INFFilesize
9KB
MD578ffba206bd9552ee20bb91121fe889b
SHA11a2bb456c8b67fd20815ae89d84c6e964a763b09
SHA2562338af9d0810e0c107683eae0326cb1a8d00ef13e73d8f4ef0f42261aa9c6efe
SHA512d83cf624bb3fec44eca24d56053e42dcb9be1aae0808e92204c3e4748bd923f420c0b2a114991b05ee920919a107a84dffb67ff54ee3a56151559b0d2dfa640c
-
C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exeFilesize
50KB
MD539f706639a8e235bfdfe9735e178e6a0
SHA131ef237fa08e53753cb0934bdd36537f78cd1ee6
SHA256707620e8c5c0e31f83a705b9dab5c30bd3f1dfd8f6e5698d6efd643ea5dafff8
SHA5126a54cd71e04b42cbf8d30e6353188df7e301d1b479a2a3a3ba710ed2a870a2a2bf590904a0a1dff86162ad205a77f433f7c5600fe415f5e6af6c1efacb0495af
-
\WCH.CN\CH341SER\SETUP.EXEFilesize
88KB
MD53a5073fc9d6e4a7102a97e8a971ae6de
SHA11d0bc75a657aa4222687ed95309bfe9b69dbacf8
SHA2562f6c540841884be0f61c9a63a83d4ce68f2648e0edd46af78b0f49f88c45f7f2
SHA51245bce2080e6838adcbd94d66fe9916e265458e68504cb388299720e315a1f0146bd2dd7140a21298da8d2a686dabb2a5fc23e4f2c1c2fe7e5a0f103ae4328c41
-
memory/2868-54-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB