Analysis

  • max time kernel
    150s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/06/2024, 04:36

General

  • Target

    a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe

  • Size

    275KB

  • MD5

    80a879a0679ed4ec53fde4ff1b0cb978

  • SHA1

    bbb4713485c283a9c7b2c565e69105a1075fcebe

  • SHA256

    a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90

  • SHA512

    eb5eab0e960e2d801cca2ae48ccb79f3ae256482e16873e33c64c637a41b5a33a4e98acc0d1b245404924628c4a72c0f1696a329f3589870cf01de19f52617fa

  • SSDEEP

    6144:0VfjmNSO94ruMQfK+4Z33Hs2t0EyL+ta+d:27+SiM1t9ERKE+d

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3564
      • C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe
        "C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3632
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3C9B.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1936
          • C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe
            "C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4788
            • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
              "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              PID:2300
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2332
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4416
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:3908

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

        Filesize

        251KB

        MD5

        8c76d8209d2e719930c9ba1c3aec96a4

        SHA1

        688649466318e5e496c8256fd3168039b3b330aa

        SHA256

        ac040dc7f1ccb3b1a1a0ba7f57c5f1787081c64b56d3af79fdfc24aa69759a9f

        SHA512

        19744836971e4202ee281738f0b895e0b96150642499067e1b51a7434865be790f6a1c65f2163cdbd108adbc7f44ca812c6647eb1952a9925b152b13007ab269

      • C:\Program Files\7-Zip\7z.exe

        Filesize

        570KB

        MD5

        9a82d81ba2e36e6a954f13c6f3447007

        SHA1

        9379936d5b85fc829946d4e67aca1609545c70ad

        SHA256

        1f2ae1902b9b9c1cb54f98a02d3deff12bbbb95e16911640b3bba79113799f77

        SHA512

        08e28ce1842f7e5e910d1bc731231a7e1bbaba6cb499696e6b5d528ef13f7885b3c453165bf32dad4e1c9e222f235ec080d9f003de79494423fef107e833193b

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

        Filesize

        636KB

        MD5

        82168b5f40194e6e86457c2b534cfc21

        SHA1

        3e2702a384a03243e98ee6866e09f6d5df9b5de5

        SHA256

        c2f452c90356d0070c71ce17da69c4245dc24f46e1215eca22748567e48279d9

        SHA512

        6d041166b41e4608aa46b1724322a22d49e5d709f4b1bf89d2c6819282a813c88cd74ba6167f337d4d36a741ae53830b04e58e92fbfc597f85cd7f763284c774

      • C:\Users\Admin\AppData\Local\Temp\$$a3C9B.bat

        Filesize

        722B

        MD5

        05f7679b2764230c25a85dc98f846974

        SHA1

        6d72467a519bc1f2177933ab96bc228c4b35d553

        SHA256

        9a9c4c54c041e7ed7cfb1de85cf52959cdbe8fccd557010d4df14211b3f273ec

        SHA512

        28e43370086ebbb1536fdeda203555ef70929be2c69f9fd0fd8b17baa65c5ed3a324e51ae24b645d3b151ebbcdfeed73091b866d03fc882c947bec623f8bea0d

      • C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe.exe

        Filesize

        248KB

        MD5

        47a6c51c0904f930c3ea2acd11843598

        SHA1

        66dbd0a1bef915d2efbf405b5da32a0eed93a62c

        SHA256

        4cb64e345f2ccf5bb6b3493dc55b11048ef249baed3645b09033758c652734af

        SHA512

        455d26fdaf4396106096c6e1698bf58864ffbff1b073adfafb2c8f66dbfcca502ce452011064bc4ccf38341b848cbd7b02a3471331356ffb8a117ec0bc1a428e

      • C:\Users\Admin\AppData\Local\Temp\nsc3F2D.tmp\StdUtils.dll

        Filesize

        100KB

        MD5

        c6a6e03f77c313b267498515488c5740

        SHA1

        3d49fc2784b9450962ed6b82b46e9c3c957d7c15

        SHA256

        b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

        SHA512

        9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

      • C:\Users\Admin\AppData\Local\Temp\nsc3F2D.tmp\System.dll

        Filesize

        12KB

        MD5

        0d7ad4f45dc6f5aa87f606d0331c6901

        SHA1

        48df0911f0484cbe2a8cdd5362140b63c41ee457

        SHA256

        3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

        SHA512

        c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

      • C:\Users\Admin\AppData\Local\Temp\nsc3F2D.tmp\WinShell.dll

        Filesize

        3KB

        MD5

        1cc7c37b7e0c8cd8bf04b6cc283e1e56

        SHA1

        0b9519763be6625bd5abce175dcc59c96d100d4c

        SHA256

        9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

        SHA512

        7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

      • C:\Users\Admin\AppData\Local\Temp\nsc3F2D.tmp\nsProcess.dll

        Filesize

        4KB

        MD5

        f0438a894f3a7e01a4aae8d1b5dd0289

        SHA1

        b058e3fcfb7b550041da16bf10d8837024c38bf6

        SHA256

        30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

        SHA512

        f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

      • C:\Windows\Logo1_.exe

        Filesize

        26KB

        MD5

        803416611d3ff9892e3e5c729d18a4cf

        SHA1

        bc99a7db9810cc6c08c4c1eee041d666396a00a8

        SHA256

        44dd551c7c131158282194d127971c71fa4e16b60b526f3886427bdd1b52eae9

        SHA512

        02ad74b45ef2338c97df02d421951b43730531db1c9cc88e85ab294ebf94f7cd0f2991278a4e6e9c4af3dac0f7952e7f2ea09ed14a3ce6b16990371c3d5ec083

      • F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\_desktop.ini

        Filesize

        9B

        MD5

        4f2460b507685f7d7bfe6393f335f1c9

        SHA1

        378d42f114b1515872e58de6662373af31ab8c7b

        SHA256

        47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42

        SHA512

        75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

      • memory/2332-69-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2332-63-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2332-73-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2332-13-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2332-1267-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2332-4833-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2332-56-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2332-5272-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/3632-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/3632-12-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB