Overview

overview

7

Static

static

3

afccb8fdcb...d8.exe

windows7-x64

7

afccb8fdcb...d8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-06-2024 04:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    afccb8fdcb2f0344a71a8dfd8389ba8babadab42ac662b4908f5eb11c2158ad8.exe

  • Size

    419KB

  • MD5

    ae07471ce4038f0ee5493bbee70a791b

  • SHA1

    f49b164e4d57174001a8fde8f552eec5b10957f8

  • SHA256

    afccb8fdcb2f0344a71a8dfd8389ba8babadab42ac662b4908f5eb11c2158ad8

  • SHA512

    09a65329350cf9f21fe0e4eff436a7c3f254e391b1c44763ebf95d5073cf75b01e8ca23425d9437a08fe6f2391dcbdc8602214f0358fef84b4e84d0d25aa277e

  • SSDEEP

    12288:+7+NnW3gaHC2zUM2WJoROZVXk8hbodzbTw8x0Cx+:+7AWx5k8hb0HTw+x

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3404
      • C:\Users\Admin\AppData\Local\Temp\afccb8fdcb2f0344a71a8dfd8389ba8babadab42ac662b4908f5eb11c2158ad8.exe
        "C:\Users\Admin\AppData\Local\Temp\afccb8fdcb2f0344a71a8dfd8389ba8babadab42ac662b4908f5eb11c2158ad8.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3700
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2599.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2652
          • C:\Users\Admin\AppData\Local\Temp\afccb8fdcb2f0344a71a8dfd8389ba8babadab42ac662b4908f5eb11c2158ad8.exe
            "C:\Users\Admin\AppData\Local\Temp\afccb8fdcb2f0344a71a8dfd8389ba8babadab42ac662b4908f5eb11c2158ad8.exe"
            4⤵
            • Executes dropped EXE
            PID:4000
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1808
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2184
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:968

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        54c5bafca47fd98082775cde150baca5

        SHA1

        d690d232c9fe3c96c08b0c6f09f33247dbbfa24d

        SHA256

        02a54f80ef13a162345855375dcbf2ad3d5fcbe40fbc39faa41442490b4e95dc

        SHA512

        114df1cb4f212c607d6219ff576357231a7b7b5cb710a269de4dd8d6dca47ccf6962d6412e72c7cad255a41a0bab266d8bfc91cf4051574a29eb8d26993b916b

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        570KB

        MD5

        a0f10dd4fca7cba1e1c14cf8f06eaafa

        SHA1

        6551d6efe33694aa7eb53be0f74f7dcd8f8818df

        SHA256

        d673a3aebc3722e2f8cbaf65f21a7d0909f6950b3c49bbfe944fa49c85acc181

        SHA512

        93a5a3fcd450706c28f351390378ca3aed95697986788f2503b3798a7a865e72434bb0ea07c9973a91acdbc42a7fefd27a8adc3db69f4b738727c43100253f4a

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        636KB

        MD5

        2500f702e2b9632127c14e4eaae5d424

        SHA1

        8726fef12958265214eeb58001c995629834b13a

        SHA256

        82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

        SHA512

        f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a2599.bat
        Filesize

        722B

        MD5

        c4e309fe1b5e8f3ca4b8827ff924355d

        SHA1

        0f95c4c72d72a0c312c183f89dce89117b1374a4

        SHA256

        2b94b3c56843cf37c13473844dfabf1ae3c771d7d9a80ffdc4ba6b0d6ca31635

        SHA512

        9b81d77b76fc41b71e8157439b8f70141698a39cb90f8e7841aac1b8d32f0516ebc28ea1f57076a930455582a8951e0707e9bc7bf98192791a2a2037a2256bb4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\afccb8fdcb2f0344a71a8dfd8389ba8babadab42ac662b4908f5eb11c2158ad8.exe.exe
        Filesize

        392KB

        MD5

        ec3fd88c7b552c1e380b4819a6dbacf2

        SHA1

        d1213f26e8fd6975a975b52e2677dc02a4a4d85e

        SHA256

        14b33d10bb9ac0081d66137295ca0653665cc7299d5508bb08e7494e8ce5ab0a

        SHA512

        edcd243df3429652c052c9a0d7dd57ee141d5743d2bf8f7d5bd0c6c9a27d40da6da39d6da2582837268276a2ed4133a37b84d998ecbc6a61bbe15b09148ee798

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        a0a0986d9acf60095b1f86eeb6c1e0bd

        SHA1

        e90f018d99d4af17f0c3df0203db71c45d7a20d1

        SHA256

        adade822b1c385b01ba5d19dfd6d3140a0951df0c572802cfbe34c4c5157203b

        SHA512

        9ae080c368e1d1809a251bbf71efbcfc6678f67c55c8a230afc8fbbde82283e9b44411923cf4f76a79c07d99f6507e85d441e6b99a84fd8c8da134447e3caa85

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\_desktop.ini
        Filesize

        8B

        MD5

        9bf5ad0e8bbf0ba1630c244358e5c6dd

        SHA1

        25918532222a7063195beeb76980b6ec9e59e19a

        SHA256

        551cc5b618f0fa78108dd2388d9136893adb10499e4836e9728f4e96530bf02f

        SHA512

        7fdce76bb191d4988d92e3d97ce8db4cae1b5c1f93198bffc4e863d324d814246353200d32ea730f83345fcb7ad82213c2bcd31351e905e473d9596bc7b43ad3

        Download Submit

      • memory/1808-27-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1808-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1808-37-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1808-20-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1808-1231-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1808-13-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1808-4797-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1808-5236-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3700-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3700-9-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download