Overview

overview

7

Static

static

3

68dd2863ed...8c.exe

windows7-x64

7

68dd2863ed...8c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 22:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68dd2863edf8933492f26696f6e970f204ea9c2a73c21250fafad415f82a938c.exe

  • Size

    89KB

  • MD5

    825542c22924ff45332ad53271d47a4d

  • SHA1

    0c506cae9ee66b4e30d2a42fb3e8eca349d7d095

  • SHA256

    68dd2863edf8933492f26696f6e970f204ea9c2a73c21250fafad415f82a938c

  • SHA512

    ae654550ddb8a0fc3e4fc922899a998d4a9d647b72deb0cd7e37cf890c590b5fb75cbc66d9e433841cbcd885a88e190f9ce462896d2facf412f40fd55c1d8048

  • SSDEEP

    1536:tfgLdQAQfcfymNG+KxzFXc9CDn3/UPhLGxfk3YMKbNU29hrKkEC/RKD1:tftffjmNoxzFXBMPhLGx8ub+wEC/i

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Program crash 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3456
      • C:\Users\Admin\AppData\Local\Temp\68dd2863edf8933492f26696f6e970f204ea9c2a73c21250fafad415f82a938c.exe
        "C:\Users\Admin\AppData\Local\Temp\68dd2863edf8933492f26696f6e970f204ea9c2a73c21250fafad415f82a938c.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3108
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3C1E.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2024
          • C:\Users\Admin\AppData\Local\Temp\68dd2863edf8933492f26696f6e970f204ea9c2a73c21250fafad415f82a938c.exe
            "C:\Users\Admin\AppData\Local\Temp\68dd2863edf8933492f26696f6e970f204ea9c2a73c21250fafad415f82a938c.exe"
            4⤵
            • Executes dropped EXE
            PID:4512
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 312
              5⤵
              • Program crash
              PID:4860
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4852
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2712
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1400
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4512 -ip 4512
        1⤵
          PID:5248

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          251KB

          MD5

          ca8d3b8f9d8250daf67e6744e9cf5157

          SHA1

          8260cd1660afd6c44ad686d02f56d5934c13058b

          SHA256

          9d42fd3f7b5c98fd818fc8c466d9b66f2a5032ddbe2843c74a53335d59d97241

          SHA512

          8c7a6bfb7252dffdf96adb7647f0e2a047e1877befe0844c8a5452537a8d85fd1e90d8c0630f4efaf607c19935bc417f03f36ce60c895e9e2693b13252b1d242

          Download Submit

        • C:\Program Files\7-Zip\7z.exe
          Filesize

          570KB

          MD5

          d85cb7764972318510d95f195458bf54

          SHA1

          6fc428c00faa4982814c0b8dd5c24d4e66398102

          SHA256

          5d6d26413c18d9a12cde93924042d9d3930a4cb5ad460cb9b252bf0b7f191546

          SHA512

          dd8e9e7566c95443053a444af6f61f37a26cd4da1787fada2a09fb9e63a99a5be56cd18d3a9936ea686d3e40174881ba9e3d8583ea135cc6fe5ad3eea2184aa1

          Download Submit

        • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
          Filesize

          636KB

          MD5

          7c0581e2c34a99e0e6b7b63deb7540d8

          SHA1

          2ad688b178321284f2eab56ad02ef1d32e7ea46f

          SHA256

          200d8896a4cf3d442567696ff425b2aeca8b87428173337c4f5b9022ae0d6ab0

          SHA512

          4e65033131dd98ef1eb39d5da1c3a92b8d4c3ca083edb3db7bf9f555e57285f9f5c63bdc4d24cc5aa63312edd216ebc74c0a7f74ed38783e27998a2c013a496e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$$a3C1E.bat
          Filesize

          722B

          MD5

          432cfaa65ce4e80b546012a06fee0a6f

          SHA1

          12259f0c6956f5bdd27b94bbe129daec41244d88

          SHA256

          0a9b16fe90e0c595c91cc1784ed1590955eb1074a302219ccd2aff310eb9ebc6

          SHA512

          6abe4ed65bfa6e6b94ac640762e810596656c3c5f53499054737ea402c63eeaa84f87f045996f01cecdb65952fdc428b947800cb9f2e542db1b0ceda04e5ea3a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\68dd2863edf8933492f26696f6e970f204ea9c2a73c21250fafad415f82a938c.exe.exe
          Filesize

          63KB

          MD5

          e58fa0b482c0b12c20ef19ead605566c

          SHA1

          d955f989db7ce385ded9b93fb32c78a8fe05a051

          SHA256

          3b15d5fdf50add77bc7da8c90e5f2f5f5953cb7720146bbe6606de0cc9dda22d

          SHA512

          98203e58cd3e06845ab64f4396a6070d886c3844b897dfdf35f89a5e25107d164056eddcfaa16d28db370411ff04fd235609ec95ed27006b0d37bddc36193bbf

          Download Submit

        • C:\Windows\Logo1_.exe
          Filesize

          26KB

          MD5

          d0b6f2e25042b4e55ccc4c5ee9a53c15

          SHA1

          f3af8c3f61838c74a0b99eb05ce4fce62985afe6

          SHA256

          99cd69b0cbf830acbbc1558f087885ab8ffb5d43a1395138333500d05aa049dd

          SHA512

          54da4431ecd27c9f305328307c39bbc26fb8719f0312087497569161cf1482636a2526e787f05ea862d705d4f5a61f5721c568d13b52607db014c117d215f6a7

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-2447855248-390457009-3660902674-1000\_desktop.ini
          Filesize

          9B

          MD5

          3b22ce0fee2d1aaf2c66dcd142740e29

          SHA1

          94d542b4bb9854a9419753c38e6ffe747653d91c

          SHA256

          8284772f28954a109c16f1583e6e34e29f06673b34e04f268bda961b57ba9f79

          SHA512

          efd4900a49624170e51ea401f0845634f49484a49335845258dc3d41a12e2022bf413a6751fcbcfd1ec68cde506f3363beae57f20e8eaca8b214d28baa138c5b

          Download Submit

        • memory/3108-9-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/3108-0-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/4852-27-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/4852-34-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/4852-37-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/4852-39-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/4852-29-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/4852-1232-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/4852-20-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/4852-4787-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/4852-13-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/4852-5226-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download