Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/06/2024, 07:34

General

  • Target

    fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe

  • Size

    26KB

  • MD5

    d880c45f5fdc437b2171ca08b6fe4bd7

  • SHA1

    32e2fe3f1dec04977e99f4703ec91ace6ddeb92e

  • SHA256

    fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90

  • SHA512

    420537ed44be11fa1364a9ade913e4e2adb5e90a8c18ad24a41159b9aefdbd246daf8f1abb562a07a44091336034a0f680bb0e444e0315b5bd853b2c6d43a9b5

  • SSDEEP

    768:B1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:XfgLdQAQfcfymN

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3360
      • C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe
        "C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4888
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2156
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:840
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4388

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

          Filesize

          251KB

          MD5

          1739f92ac794136b7b005e3a65d03e22

          SHA1

          3aff88b7c7601941cba191ce2817c3bea01b834a

          SHA256

          e263b8c0eab9cbdf8a0fa5360727bdf6ed892097a0990e688de929195f63508f

          SHA512

          35d8a8b579241000bd7cca8c3ec80e3a02d4ae569c08b7fcd2b9d9c028e60954678825c2b26c0efe7fe17f2f46cc00fc839b0d542100296f71201b261a69bb85

        • C:\Program Files\dotnet\dotnet.exe

          Filesize

          165KB

          MD5

          dbe4e1e5bdd0b3e9eb76d56e4b6e7fb6

          SHA1

          9295f140456e6f877267194c0c8669d847847c53

          SHA256

          29a2b4e8aa964811ed07d719203e3791a35fc006f6ca9545ca0aeed7df4758d2

          SHA512

          7aadc949c70fd64f030ed2e930c33a9b60df3d22b04e06a1c37b02e0c4a32c3ac8af52abad0d3142da344b7648d9bb0f79cf2ece346fd8ebe22664bfd3478142

        • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

          Filesize

          8B

          MD5

          9bf5ad0e8bbf0ba1630c244358e5c6dd

          SHA1

          25918532222a7063195beeb76980b6ec9e59e19a

          SHA256

          551cc5b618f0fa78108dd2388d9136893adb10499e4836e9728f4e96530bf02f

          SHA512

          7fdce76bb191d4988d92e3d97ce8db4cae1b5c1f93198bffc4e863d324d814246353200d32ea730f83345fcb7ad82213c2bcd31351e905e473d9596bc7b43ad3

        • memory/4888-0-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/4888-5-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/4888-13-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/4888-19-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/4888-24-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/4888-28-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/4888-1001-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/4888-1168-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/4888-1963-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB