74d12019023390d27739625773005ecccf1bc6c4547e0c46088e86665e519524

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CH341SER.exe
Size

642KB
MD5

31d825e7d64fe4c4d8ad3ded5f62b6a4
SHA1

65c980145d8a0f268da77a37455c9f1f48092678
SHA256

74d12019023390d27739625773005ecccf1bc6c4547e0c46088e86665e519524
SHA512

5b56856a41ed14d3cd9fcff04cf835ff011a0157c29d92e23666dda9f8f3e45c2c9eddea3190c750c37674a780d5e2f2d40e79cfe4d88a288067f7d8960bb51d
SSDEEP

12288:Uzy6rRxELZcxtT8Wpq24aivyR1DAqNIZbgxHaPa36+Cg:n6rTyZAb4aTDwbF66tg

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

SETUP.EXEDRVSETUP64.EXE

pid process

2608 SETUP.EXE
2964 DRVSETUP64.EXE
1176
Loads dropped DLL 2 IoCs

Processes:

CH341SER.exeSETUP.EXE

pid process

2868 CH341SER.exe
2608 SETUP.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DRVSETUP64.EXE

pid process

2964 DRVSETUP64.EXE

pid	process
2608	SETUP.EXE
2964	DRVSETUP64.EXE
1176

pid	process
2868	CH341SER.exe
2608	SETUP.EXE

pid	process
2964	DRVSETUP64.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

CH341SER.exeSETUP.EXE

description	pid	process	target process
PID 2868 wrote to memory of 2608	2868	CH341SER.exe	SETUP.EXE
PID 2868 wrote to memory of 2608	2868	CH341SER.exe	SETUP.EXE
PID 2868 wrote to memory of 2608	2868	CH341SER.exe	SETUP.EXE
PID 2868 wrote to memory of 2608	2868	CH341SER.exe	SETUP.EXE
PID 2868 wrote to memory of 2608	2868	CH341SER.exe	SETUP.EXE
PID 2868 wrote to memory of 2608	2868	CH341SER.exe	SETUP.EXE
PID 2868 wrote to memory of 2608	2868	CH341SER.exe	SETUP.EXE
PID 2608 wrote to memory of 2964	2608	SETUP.EXE	DRVSETUP64.EXE
PID 2608 wrote to memory of 2964	2608	SETUP.EXE	DRVSETUP64.EXE
PID 2608 wrote to memory of 2964	2608	SETUP.EXE	DRVSETUP64.EXE
PID 2608 wrote to memory of 2964	2608	SETUP.EXE	DRVSETUP64.EXE

C:\Users\Admin\AppData\Local\Temp\CH341SER.exe
"C:\Users\Admin\AppData\Local\Temp\CH341SER.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868

C:\WCH.CN\CH341SER\SETUP.EXE
"C:\WCH.CN\CH341SER\SETUP.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608

C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.EXE
C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.EXE
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2964

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WCH.CN\CH341SER\CH341SER.INF
Filesize
9KB

MD5
78ffba206bd9552ee20bb91121fe889b

SHA1
1a2bb456c8b67fd20815ae89d84c6e964a763b09

SHA256
2338af9d0810e0c107683eae0326cb1a8d00ef13e73d8f4ef0f42261aa9c6efe

SHA512
d83cf624bb3fec44eca24d56053e42dcb9be1aae0808e92204c3e4748bd923f420c0b2a114991b05ee920919a107a84dffb67ff54ee3a56151559b0d2dfa640c

Download Submit
C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
Filesize
50KB

MD5
39f706639a8e235bfdfe9735e178e6a0

SHA1
31ef237fa08e53753cb0934bdd36537f78cd1ee6

SHA256
707620e8c5c0e31f83a705b9dab5c30bd3f1dfd8f6e5698d6efd643ea5dafff8

SHA512
6a54cd71e04b42cbf8d30e6353188df7e301d1b479a2a3a3ba710ed2a870a2a2bf590904a0a1dff86162ad205a77f433f7c5600fe415f5e6af6c1efacb0495af

Download Submit
\WCH.CN\CH341SER\SETUP.EXE
Filesize
88KB

MD5
3a5073fc9d6e4a7102a97e8a971ae6de

SHA1
1d0bc75a657aa4222687ed95309bfe9b69dbacf8

SHA256
2f6c540841884be0f61c9a63a83d4ce68f2648e0edd46af78b0f49f88c45f7f2

SHA512
45bce2080e6838adcbd94d66fe9916e265458e68504cb388299720e315a1f0146bd2dd7140a21298da8d2a686dabb2a5fc23e4f2c1c2fe7e5a0f103ae4328c41

Download Submit
memory/2868-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download