Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 06:34

General

  • Target

    c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe

  • Size

    383KB

  • MD5

    b1372b6597ab5020cf03ccfe6ac47903

  • SHA1

    428b31e9082cd1e00899c24533f700f3ce50ed31

  • SHA256

    c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4

  • SHA512

    6f51363bb8a7edf24699a07157d2892356bac1071b3ba8b220e5118164ef571e511844df23e98cc5dcd98c65d6ff80508df8c86756bacdcd01eea9967912dae7

  • SSDEEP

    6144:nVfjmNKJlrpfX7TME2xdQ1LziCOONeswO/xVn84f:V7+CPXsdWzimJ/P8o

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3412
      • C:\Users\Admin\AppData\Local\Temp\c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe
        "C:\Users\Admin\AppData\Local\Temp\c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a688D.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2612
          • C:\Users\Admin\AppData\Local\Temp\c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe
            "C:\Users\Admin\AppData\Local\Temp\c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe"
            4⤵
            • Executes dropped EXE
            PID:2900
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4044
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2696
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:448

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

              Filesize

              251KB

              MD5

              f94afa1cae163777a4ead07058d9b026

              SHA1

              f9076e8e06e3f5eaf76ce771473be0b0045fc3e9

              SHA256

              cd34b8f29d1c48674d4079c529efef3554200bfcef576bb55a2e3f03ce0f2362

              SHA512

              54be6fb01f76381ecde1f9cbe7d8d80f23622833bd89e6cfd3506942aa19387acf77c9b96fb6b3375f83158c51c2b6369071a155cb084f2f92cc4ae3286c4f18

            • C:\Program Files\7-Zip\7z.exe

              Filesize

              570KB

              MD5

              a964e08fd0a647bcefec2700384f64f2

              SHA1

              efbd5172da29dad460b6db2931ba6ca15c64f229

              SHA256

              043177ace13169a9e2db63140168b5964b8cc16fe018d411966ad36f3d796daa

              SHA512

              b7ebbb3aed8244ea6da59fac99d128e18efc6add29d972d05489db2cb19e2792e905ecf7a164de9dc4299a62fc87c698bb4f8cda0dc7b54620f8b96d28b10242

            • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

              Filesize

              636KB

              MD5

              2500f702e2b9632127c14e4eaae5d424

              SHA1

              8726fef12958265214eeb58001c995629834b13a

              SHA256

              82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

              SHA512

              f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

            • C:\Users\Admin\AppData\Local\Temp\$$a688D.bat

              Filesize

              722B

              MD5

              63916397f955683998a1fe2d0caf0276

              SHA1

              b69cd86b370e871905833c33e4e5805378c4dd3c

              SHA256

              9737e1c9427010e423a0fce3a8e957de8f55c7f3873c9f8b49b4f46f0845b178

              SHA512

              402e115660e981259d09bbca385262ecbd79acf28497b4ef627c96a99fc749b93713697aaf42d1f38e86b45997192f8fd1e059927fd3a56540516df089409988

            • C:\Users\Admin\AppData\Local\Temp\c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe.exe

              Filesize

              357KB

              MD5

              27d23ccc82e864992f272c4e04609074

              SHA1

              328a01ecd907aaa0f95ae1493b3d8bc28525ffdb

              SHA256

              b413c90fbf077c9482c3ccf49be8a802883818d6d4240e0526b2cce88e520121

              SHA512

              f1b54de6766fe0ffc221697e8a17f92c953d3c65d64a7b80e2b8d16dc12774f3a65274b0f241e2c081e44987c96dee9f82873f093742ce2018f765e5800a4b85

            • C:\Windows\Logo1_.exe

              Filesize

              26KB

              MD5

              d1bd53e7079e1416e563b6787c74f3f8

              SHA1

              dfbb7850f591cc74bcbe86418b5ef11522e9e7b0

              SHA256

              b4a3413d2027dc45862a0959c413db5f6b7e932c3c61660c2c3df78804d1db2e

              SHA512

              bacb9edc071341e8ea9dfd8309126f1bc29dbcc9b0cb4a9212b9ad6f6381bc2aae8f9c300eeb3e17e1519d90456e651270e316497daa5ed0f23b69a10fdd129f

            • F:\$RECYCLE.BIN\S-1-5-21-540404634-651139247-2967210625-1000\_desktop.ini

              Filesize

              9B

              MD5

              60b1ffe4d5892b7ae054738eec1fd425

              SHA1

              80d4e944617f4132b1c6917345b158f3693f35c8

              SHA256

              5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4

              SHA512

              7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

            • memory/1528-12-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/1528-0-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/4044-27-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/4044-37-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/4044-34-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/4044-1232-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/4044-20-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/4044-4797-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/4044-13-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/4044-5236-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB