9cf96fddf474eda80f2b4c09f8ef19443cf6768429819e4cba7b869291b7b8b5

Analysis

max time kernel
1741s
max time network
1172s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CH341SER.exe
Size

237KB
MD5

1af3fdebfbab3e247feb588aea64dd64
SHA1

d557a8978877199bafe2e7baac63adab17bed05d
SHA256

9cf96fddf474eda80f2b4c09f8ef19443cf6768429819e4cba7b869291b7b8b5
SHA512

d0b7c4dd6726d8e1e894654f671bf4e00c1fdb91fc46f40bb02fd689ff2cca8036b92c1358e10f810fc3e1b518cbcf91b0a1e3a3ee8d36d179ec7bab43ea35c9
SSDEEP

3072:h8U2yJN5f661xRZbALxB1Ojdgx8GYXfPGJ6I7onkduFJcc0WMc23dFORPSPo46Om:h8U2qy6rRZb7jxGYXDFJmWM93dYlGAGs

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	CH341SER.exe

Executes dropped EXE 2 IoCs

pid	Process
4500	SETUP.EXE
1096	DRVSETUP64.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 4500	3968	CH341SER.exe	82
PID 3968 wrote to memory of 4500	3968	CH341SER.exe	82
PID 3968 wrote to memory of 4500	3968	CH341SER.exe	82
PID 4500 wrote to memory of 1096	4500	SETUP.EXE	84
PID 4500 wrote to memory of 1096	4500	SETUP.EXE	84

C:\Users\Admin\AppData\Local\Temp\CH341SER.exe
"C:\Users\Admin\AppData\Local\Temp\CH341SER.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3968
- C:\WCH.CN\CH341SER\SETUP.EXE
  "C:\WCH.CN\CH341SER\SETUP.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.EXE
    C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.EXE
    3⤵
    - Executes dropped EXE
    PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WCH.CN\CH341SER\CH341SER.INF

Filesize
6KB

MD5
0ecffba87b80f54f7016da633dd9ab1c

SHA1
e46668f0267651c248944766291791b0def36f1d

SHA256
0cbd34f89b0d11b386e07a825fab531706f86e9da44dcc536ac7c98a6d22c383

SHA512
1738bd22be834b053cabe91f2f53a2686d2091b29cb3caba9fd3033fb94108ad2db42829edc25f38dae22bf46ac9bce2cb5919cbf0b63c88bf7d7b22b2b2ca2d

Download Submit
C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe

Filesize
45KB

MD5
1fe688688c2082b37827db54c4282af0

SHA1
d6dc4f97a61a9f1919cbbd7cc52c7bb59b0291fb

SHA256
a5a07ee7b5195497be4796845cb05b38618daaf2af98884b29eead6d073353b8

SHA512
5d2a93ea1c47f1d9623cddf57f4f7961c9b78258bdeeec5cb62a461853be6b7b47c20617de300366e60bb4146b6a283a8ca7694fee3ee8afb90e72875841272b

Download Submit
C:\WCH.CN\CH341SER\SETUP.EXE

Filesize
97KB

MD5
181f68547d52360fc142ac3adc2436b7

SHA1
8d5eac850374e4faf2bac2e439d1e02d2d2c704b

SHA256
a8f306d5ba1a23f587283fd410313f50ac1ac5ce1268938b065130a0dc84c658

SHA512
1ee8fdb1692061482a0fcc6030ece500fa7473586fffe6eb3836b3d3d54bed4cb4fe443de8173d252e5d206eabee6e363c387366b159ae29859c77bbfe5cee4e

Download Submit
memory/3968-28-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download