Analysis

  • max time kernel
    156s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 22:32

General

  • Target

    2c61575ffc47c836954fc31763a72ef3365b1520a80a03bec9a17cc745c1192b.exe

  • Size

    252KB

  • MD5

    40724cf53177a2e069d817cce0715545

  • SHA1

    8054bcccda57a9b7e82288c5b434c23fa8997857

  • SHA256

    2c61575ffc47c836954fc31763a72ef3365b1520a80a03bec9a17cc745c1192b

  • SHA512

    6abcc875cb9541c922c3e4ba14e65d23ef297b58e409a60e186015725b2bc28836000e35201b697fbe069137227a2dac77d0c66c4a2a087b5e405de451454b36

  • SSDEEP

    6144:YFpOgiC4bXqsTk90qC1AOb7eswf1Px++fD8PJ:eplitXqsTkiR7twRx+gD8PJ

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3332
      • C:\Users\Admin\AppData\Local\Temp\2c61575ffc47c836954fc31763a72ef3365b1520a80a03bec9a17cc745c1192b.exe
        "C:\Users\Admin\AppData\Local\Temp\2c61575ffc47c836954fc31763a72ef3365b1520a80a03bec9a17cc745c1192b.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4664
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5176.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Users\Admin\AppData\Local\Temp\2c61575ffc47c836954fc31763a72ef3365b1520a80a03bec9a17cc745c1192b.exe
            "C:\Users\Admin\AppData\Local\Temp\2c61575ffc47c836954fc31763a72ef3365b1520a80a03bec9a17cc745c1192b.exe"
            4⤵
            • Executes dropped EXE
            PID:748
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1468
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1912
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:32
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4476 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:936

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          571KB

          MD5

          0f418753f98875686d7aaa137f725cb8

          SHA1

          5d4d6505fa66a2d7833e99e13969586036513ad0

          SHA256

          0d91bfc058b787849ca58b843ae38380d7e003f90c1ba6497b006fbbde76d9d1

          SHA512

          5e6e1d822657fd0cc859cfb2a1e2344940a97a9f46ff1877724c16882943d79309f94de7897dd38f6b2de27c4d5825b580433404171be98cb92f12a0ada17bd8

        • C:\Users\Admin\AppData\Local\Temp\$$a5176.bat

          Filesize

          722B

          MD5

          eda24ee5916251c0a1ddac42ac104d98

          SHA1

          7efac6ae83e461104bceb52abaf91f40e3cc4ebb

          SHA256

          494789308a2ea0061fd99f51763588b5775e5d64a05d1c76aa84221f65cc8cd8

          SHA512

          978339e4fd8678d9d32d57dca1217506ac96ad3945cad2eaac6ce6b097bb4df397b272fe9d3e55605ca985f6f17374920795fd527a56bba275d40caa01c9eaf7

        • C:\Users\Admin\AppData\Local\Temp\2c61575ffc47c836954fc31763a72ef3365b1520a80a03bec9a17cc745c1192b.exe.exe

          Filesize

          224KB

          MD5

          d4b257c01bbaa68d15d8368475a4e227

          SHA1

          fafae083a882e163cfa8c77258baaab891c17df2

          SHA256

          dd6dd981c7f1a6673dc8cc3a0fe1fc8a54e059a9fdb0545b0dc9258299c0c546

          SHA512

          167494ecb32196e8e199d7d14a1c0498eee45ab8e8862e5441539fa569313bb602b9e979935c7cc5ba39300e54e8bdbdf2f502e4ea24b5e8339fd2c3685ca502

        • C:\Windows\Logo1_.exe

          Filesize

          27KB

          MD5

          3262af3b3175a752b3dc89d5befd082f

          SHA1

          e21b1e0a8298ce207987bf3479d995516ffb1c4a

          SHA256

          9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788

          SHA512

          c2a167c48d803b206f5235cd61ab0f165241fe50d31f0471a117d692d7b3cd87a546ed2e03c7e6c261d0887ea77960e69ae48788cd5289c8142a1ba97a60b720

        • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

          Filesize

          8B

          MD5

          af485d3db9f82d3e5bdc8c6d87fb742e

          SHA1

          f879c3dbd3d34e9789ff73896508bfbeabbf7468

          SHA256

          7a7b688ede50bbaf08d4579fbd8c6b6c99d9dd1206d95ab24d8174eb9be98759

          SHA512

          d5fe5155948320ef6d3f80c01c9a81f0d4f60bab381d921ab2e06b62475618b973b34346bd41b40af24f2b5aff64bba68710f405f7ff21a58f369acbaaee9360

        • memory/1468-43-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1468-20-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1468-9-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1468-27-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1468-34-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1468-38-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1468-75-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1468-1016-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1468-1183-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/4664-13-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/4664-0-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/4664-1-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB