Overview

overview

3

Static

static

3

da17ba599d...6c.exe

windows7-x64

da17ba599d...6c.exe

windows10-2004-x64

Analysis

  • max time kernel
    41s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/06/2024, 18:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    da17ba599d0f91d9f17fd55c8ac4a69191cfcb110c0d3c657c8aa70029dbd36c.exe

  • Size

    236KB

  • MD5

    56999d5ccc4d91a7c98d90b49bed2807

  • SHA1

    022f9537f5b113f9255de6d40fc614a56ef27cf1

  • SHA256

    da17ba599d0f91d9f17fd55c8ac4a69191cfcb110c0d3c657c8aa70029dbd36c

  • SHA512

    2fb0bd2a7088dd991921bb2d0115374b7a11e43106da24fe1ca52f10d76bcf1854dcfeb442c2716458f66a967580c650977b2c50957904cf8640881e1d35e44a

  • SSDEEP

    3072:JUaY46tGNFC0VFnpVOqhtWAGYWOvTE4BwSfGuLG8NoqJEPyXK/aWbJSP5xV0BUj:e46tGfC0jnz4KUuS8oqJIgKGe

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3344
      • C:\Users\Admin\AppData\Local\Temp\da17ba599d0f91d9f17fd55c8ac4a69191cfcb110c0d3c657c8aa70029dbd36c.exe
        "C:\Users\Admin\AppData\Local\Temp\da17ba599d0f91d9f17fd55c8ac4a69191cfcb110c0d3c657c8aa70029dbd36c.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1400
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3492
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1644
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4759.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3200
            • C:\Users\Admin\AppData\Local\Temp\da17ba599d0f91d9f17fd55c8ac4a69191cfcb110c0d3c657c8aa70029dbd36c.exe
              "C:\Users\Admin\AppData\Local\Temp\da17ba599d0f91d9f17fd55c8ac4a69191cfcb110c0d3c657c8aa70029dbd36c.exe"
              4⤵
              • Executes dropped EXE
              PID:2592
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1060
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3692
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3100
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1360
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:436

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                  Filesize

                  258KB

                  MD5

                  256b0680af798047a835349001fd7c41

                  SHA1

                  4e43e0268f7f67c341189b7a1ce6c2baa063cb19

                  SHA256

                  7fa5727c71a47da122856c4af832bd40f9f9b04393ee2fecb82b5031ba0852e5

                  SHA512

                  9564596dffff045aa64d145c6f06951d55dc95d1efaf64be425b1c94cfdb205c13264cf4f27fb3bae5e3e75c32d5fe591d1f92bd4b0d7f9ea279862b78530957

                  Download Submit

                • C:\Program Files\7-Zip\7z.exe
                  Filesize

                  577KB

                  MD5

                  11ad98d96a68eab26bb4077d6fe66965

                  SHA1

                  2c2bb45a1fc2d876092eb437c4b663408a94c3eb

                  SHA256

                  4b2e66cc5fc849819829a4f3f97234c18d47b5b2902af2789e4c92de8d0b7cce

                  SHA512

                  f5c1da49e728f1952a04ff6a1fc8afcc643db62151d28d728f08cd7b2b8591e7c9826086d467c1204215df828e34b5c881426e6931eb367705d1de74431e67c5

                  Download Submit

                • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
                  Filesize

                  644KB

                  MD5

                  0eec0543603f7a8ce8e8f5fee478e1d2

                  SHA1

                  f975d2b0358d8f138bdbaa04e433d85297f29c2f

                  SHA256

                  636c1c024e59354f13d9bb02fa8f3849112c4557ab790a37146b1c121e597b24

                  SHA512

                  cbcd9919c79180c43d588c27107dd04c04378da47df03cb27f072ee296e9c23a7690e3196b457dda14bcac96a38617f597c83a47a813a58c813f3affbd6a2a05

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a4759.bat
                  Filesize

                  722B

                  MD5

                  c27a780d43354d81207e5f67d36047f8

                  SHA1

                  51691d2d5c5ddd5dfeb4da07dcbffd75b42fab31

                  SHA256

                  547f1820e54391297c785e46166391b9dbe73bcfb8b863a832de512a04ded104

                  SHA512

                  6eb27d3309647eaae7cfe823dced5fdee7a4fd328f5b0c7ebd5ae2aeb9cbe70ba9e78b0e571f8d55d8b5389464544f39d6af91e81133a80c02c445a9c866dc72

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\da17ba599d0f91d9f17fd55c8ac4a69191cfcb110c0d3c657c8aa70029dbd36c.exe.exe
                  Filesize

                  203KB

                  MD5

                  5f1ba3be7e873d24ef709bbca0d07f88

                  SHA1

                  7ea62d7d32a18b6904b36501fb4cad573c99ed36

                  SHA256

                  9d4ebad94997f790d19e8d998c4ee749aa6f73e30fd5512a48a839cb28c75470

                  SHA512

                  28f6b537ecfffa21041cc317437db1f3970484ebd45b335bd12f3f3f81c58926b4fb9ddcf5e210180cf57106722c21257ff4e95b23434ff5b685882661b6af4d

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  0fbf02d223445d573f072dd264ff499c

                  SHA1

                  a7c8f8fbbafa35ae853394f9b0e6436661b7b1cb

                  SHA256

                  0f613830d4414afd617e8e2d765db67ba765ce6d6e97f11b564be43e87ae82a5

                  SHA512

                  4708c6abc6b615c0537f6f67d7c73a35f9e013220f8798c24cfc2007a51ab7443e143a942ecf6fee90705043e58ab97c1df800a5ddec2da9a10ce8e9d5248fb4

                  Download Submit

                • C:\Windows\system32\drivers\etc\hosts
                  Filesize

                  842B

                  MD5

                  6f4adf207ef402d9ef40c6aa52ffd245

                  SHA1

                  4b05b495619c643f02e278dede8f5b1392555a57

                  SHA256

                  d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

                  SHA512

                  a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-4018855536-2201274732-320770143-1000\_desktop.ini
                  Filesize

                  8B

                  MD5

                  9bf5ad0e8bbf0ba1630c244358e5c6dd

                  SHA1

                  25918532222a7063195beeb76980b6ec9e59e19a

                  SHA256

                  551cc5b618f0fa78108dd2388d9136893adb10499e4836e9728f4e96530bf02f

                  SHA512

                  7fdce76bb191d4988d92e3d97ce8db4cae1b5c1f93198bffc4e863d324d814246353200d32ea730f83345fcb7ad82213c2bcd31351e905e473d9596bc7b43ad3

                  Download Submit

                • memory/1060-20-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/1060-13-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/1060-5622-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/1060-8668-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/1400-0-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/1400-12-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/2592-21-0x0000000000400000-0x0000000000439000-memory.dmp

                  Filesize

                  228KB

                  Download