Analysis

  • max time kernel
    153s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 18:36

General

  • Target

    fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe

  • Size

    417KB

  • MD5

    99eceb281f12da13cda991a03c298be8

  • SHA1

    31d93c4b71d8960313a18cf1b024ea7ef8f7cbe9

  • SHA256

    fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516

  • SHA512

    ab61b735272d58e1613f6d6ea41364026458cf4cd9499fb6a064e2c77ceb452fefec70d9481781bb8cdfcaaa26b698b19d5cf01866c4d433bd8511ad6e8dc8dd

  • SSDEEP

    6144:guJ45eaB+K7A1LBDejpRTxLn1gUkIJsTk0l2mI:S57B9A1dDURTxLyUkIJok0lPI

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3196
      • C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe
        "C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:904
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a1587.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1428
          • C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe
            "C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe"
            4⤵
            • Executes dropped EXE
            PID:5552
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3568
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4040
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2556
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:432

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

          Filesize

          254KB

          MD5

          432aa5b6bcd692caa88869c8bdc43681

          SHA1

          aeb7c43781d43851f7f127b4e5adc46f743d1b14

          SHA256

          86cfebefaf5ede042543c8a48550b01fe7ef3b6b7812000c3888319ae9dc3d2f

          SHA512

          4f160f737ac1f8a879bbcfffc37d499ed1e26cd21f7798cc8cc430b2d0c3fa83f6f30d1c5ddc6010523c32f9a81e8756a5c723b880e61f63135f4d42b79c9058

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          573KB

          MD5

          451d320c4693c75e5440cb4d9c47a77f

          SHA1

          eb33d16b45402ffab95c3735479cd3070892e03f

          SHA256

          ee272f52273d86c5612ac01738c5dbf9467aa805560258e77c1de59bc9bebfca

          SHA512

          93cbaba8c9793e66a210b0c4f1f788b15d011b8170feee09275ec5cfd22b972999186d1172ccbc0ddb448c1a563cd3d289f17fc8fb665932d3db5477234aa33f

        • C:\Users\Admin\AppData\Local\Temp\$$a1587.bat

          Filesize

          722B

          MD5

          2ef5b15f576885b0b500c7616d94e4f1

          SHA1

          149ca6a7a882d01ffadd819454c8b0e72da6bb39

          SHA256

          caa38c9f2e6a4d83081090cb0bd9bf79dc9d7c3b6df84521f278ae50dc6d9f44

          SHA512

          ab73e8e79290ff4301766020378635d073185c73d2de0c3a48a03a635731cd7c049ead82dd25736a37a375676f9455ce542c5eea6d6ffa57548e03f706318c86

        • C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe.exe

          Filesize

          388KB

          MD5

          766721f110f52057319fb87a2f1d4225

          SHA1

          6b2d5b226224567f726fe5c641f4a55e575a1781

          SHA256

          4ed35a2d5af16c722524f9f012dcfa7281744b9d223fc9e03040f9066ee2c66f

          SHA512

          49d9dc340f7d8fb9396c50cccb948215a6b427075beb7ffe007ecadaa5ada99778b0dfdb9a44ce1da13c3c3703b23536a81d9fcb2dbb2c753bc3989d19441fb9

        • C:\Windows\Logo1_.exe

          Filesize

          29KB

          MD5

          dccda60757967a88ad8a9a89f813748b

          SHA1

          30342bac716279dc71135ca51c669c25940a8684

          SHA256

          73bb214769970609319af0d08f3d0938a9cad1d1fc864b23527c9474cca5b2f2

          SHA512

          b022e816473dd0c16723393e1381ef9e99298fc6e85724eb451271c62a1f1e77541543fe02cb5e9cc7d758a3793103930288c36e7becfb7ff2716893ee228816

        • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

          Filesize

          9B

          MD5

          4f2460b507685f7d7bfe6393f335f1c9

          SHA1

          378d42f114b1515872e58de6662373af31ab8c7b

          SHA256

          47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42

          SHA512

          75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

        • memory/904-11-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/904-0-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3568-20-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3568-34-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3568-38-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3568-43-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3568-27-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3568-142-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3568-1182-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3568-1683-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3568-9-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3568-4911-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB