Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 18:39

General

  • Target

    38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe

  • Size

    3.5MB

  • MD5

    20a163251d455bb56f0e34dbe85f31e5

  • SHA1

    762ce8247d2cea1d049c219d50328d683e6977f6

  • SHA256

    38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3

  • SHA512

    239c94f35770bd9d517e1012673b564b75fd9d2f894313339dfbdccc5c7fa59222259b39c206270f980dc7e5e1b45db893d866327ad35d3609cc62fbc042ae1f

  • SSDEEP

    49152:N7Nzho0LuviX3KGXgr4rLh5i4NSjFBhm5Tksb59AR4JGt+RxBT/b+/Eyfh/:R97KGXCMi1m5Ysb+8pTs

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3420
      • C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe
        "C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:216
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4A67.bat
          3⤵
            PID:1816
            • C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe
              "C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe"
              4⤵
              • Executes dropped EXE
              PID:1428
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1692
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2832
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1080

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

          Filesize

          251KB

          MD5

          49a62820d1efb4519dd944dcd70fc628

          SHA1

          69dbe72b903c993214fccd5f46033dce498dd6da

          SHA256

          f44d841a27e818cb49961212d433665decc5343cde83bc1ac30d6814e88cf478

          SHA512

          6c1b7a75b1256d747ef45aa848366b90b400685ef9658bd6c1b9de92a010633caca4c575d4973cd4bb90dfdfc28bb557516935c5609e586630bd2e12589f2d9d

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          570KB

          MD5

          d4f4df98f0488e6217665871836a9402

          SHA1

          782c9259f527de11e8f5e66847995f23e2bd7e41

          SHA256

          5fb7f631558f71a0907e4792fc692ed3e70f4527d7f947b73a6701699b2a0253

          SHA512

          15cf15aa042eb81e325b9e0d700330c1e30e80fb78aa1654b5e9061f127ecafc459f35511a837aa98ee75da197e6e69ce9178bfe605009c3eb5b2e66a4f784a9

        • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

          Filesize

          636KB

          MD5

          2500f702e2b9632127c14e4eaae5d424

          SHA1

          8726fef12958265214eeb58001c995629834b13a

          SHA256

          82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

          SHA512

          f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

        • C:\Users\Admin\AppData\Local\Temp\$$a4A67.bat

          Filesize

          722B

          MD5

          2647861e742341c2727c5727a6592963

          SHA1

          3bfadd25c4eeda96502140f36b2da1e1c701e0b7

          SHA256

          9ddb743380d66c6cc26a78ee62cd2afe69b8a44a8a8306da17f8b2bbb87e4ed3

          SHA512

          d22bb4e170c564257903a63a626c4b86fa08e522c2fda0c724924952c226797ba32b73937329c0add590f648a3db1e76620c52b38f18c786416db1fd6e5c897f

        • C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe.exe

          Filesize

          3.5MB

          MD5

          d9f3e7d65208d33072ca8508f3e1a1ed

          SHA1

          900a44cb8c3e67983fa048d63a3e826c987ea8d6

          SHA256

          449882e178a951857ab9e242fd4b4fdb974d3c8a4c7c36a4e037c46b20f73d6d

          SHA512

          a992e0d4ab3f26205720042a24ad6886eec3c05e27637ede1ad9630dc8d5a1aa6c46b7e298946fa2035f4b14442693e9bbda53c51fd9a5701cd0a408f194a117

        • C:\Windows\Logo1_.exe

          Filesize

          26KB

          MD5

          869d76e7fc9dfbd34eb7ef916d28097f

          SHA1

          46a09541d845c9252cf299b3baa7d987ce65e91e

          SHA256

          89ef653086b94ea01573ce95d15a76aa140fd9a8a34e9ded6d642a53541674d3

          SHA512

          0a6e0273375df97c9258ff48b21b022b8dfd3d0831db0518f21abd38f54c5d724d950f6fbb43cd492330121b614f488c3c90aa679e9d0257c0570b59443df254

        • F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\_desktop.ini

          Filesize

          9B

          MD5

          4f2460b507685f7d7bfe6393f335f1c9

          SHA1

          378d42f114b1515872e58de6662373af31ab8c7b

          SHA256

          47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42

          SHA512

          75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

        • memory/216-12-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/216-0-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1692-27-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1692-37-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1692-33-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1692-1231-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1692-20-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1692-4797-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1692-13-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1692-5236-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB