Analysis

  • max time kernel
    149s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 18:42

General

  • Target

    baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe

  • Size

    1007KB

  • MD5

    b6b4b30b82e3cc4d31844b73d89ad496

  • SHA1

    d295439b929266922024307c4503c3a824851ea2

  • SHA256

    baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9

  • SHA512

    b56e6cd35f5f6c3271bc89b0f9649157cf704279b616e85ad85827175dc5936f669e5217dc4b4a41360c12fbe7940757e8a320e4b97ec65f529233e67a353943

  • SSDEEP

    12288:K7+PZK9I7MNmnx6Fg7kbiKFtC+eHNXXuz8sxKp7hIxLBy8omtm0/jG8Dqc:K7SiL28btC+co3LBy8omo07G8Dqc

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3404
      • C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe
        "C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:972
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4268.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2352
          • C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe
            "C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe"
            4⤵
            • Executes dropped EXE
            PID:2000
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4788
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:620
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2796

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

        Filesize

        251KB

        MD5

        412c84a84ee1f753aab61983dab81871

        SHA1

        3ff6d44a264e52f0bc0c644fe399ec99bf9ef013

        SHA256

        1cfea775593e7ce2c698a171a33c7e21fb545e2c67ba6c47777d8e461ac8f1c4

        SHA512

        3c52c6534a62bf11eedc332810e04d8854392f546f33736cc88fdaaf9fba0744269bbfd4e75545c0b50f6d0556bb3b855df407bc54e6c5a54f4cbbe5f9b07dd9

      • C:\Program Files\7-Zip\7z.exe

        Filesize

        570KB

        MD5

        ae4a0b79964b8785cfae2eb5fa11e34a

        SHA1

        5c14a9bc200fa19b4863aa8aed3e8356a3a5ae9d

        SHA256

        dc35631c1a06060be298409e2cf36395641714e2e7edf18de0fdf41794cbcf7e

        SHA512

        9e8e01d697d8c404894981ab54a602cb2d1d0c4ed75736382edff6b2c1260da9ffa692cc13790a63e775356976e39f699af226ce53e05bea94d285cb3d952fb5

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

        Filesize

        636KB

        MD5

        53ee62011469b286a2a1b5658c86b9bf

        SHA1

        9bdac0b23b0a965947c780c6a6b48fc7122f9ade

        SHA256

        7125735e4e8595f1c17ff3235bc65dacabc2ec874b29ac7ba8eddd80ad10b3c0

        SHA512

        c9c24e578da0a38048e71548fac66465bcb624e971f745bba559e8c49fd621752e718d4c983a90a97277407bb23348ca109436e1eeebef030c3b599c712ff236

      • C:\Users\Admin\AppData\Local\Temp\$$a4268.bat

        Filesize

        722B

        MD5

        645d6f0b64166a20914803773469f65d

        SHA1

        999a31422dff925f3d1277afc14d84fed4cea4f8

        SHA256

        9c5277c6044ab4203d90b20dcf36220197bcf7828c245829b888f0cf47f31e04

        SHA512

        4fa983bbe691a1f7be876b212e43af3e4457460931ee35cb4f1a897f7b60db8f42943a887667d7b0b7a7e554f184afd6574c116e9f18b244e36459aeb2b83f87

      • C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe.exe

        Filesize

        981KB

        MD5

        7f3528cd8c220c32eb5453c2e50c2435

        SHA1

        e7434bb57eec4bbfcb6375ee8c33d5d0a8a1d4e5

        SHA256

        e83b0a57520815815e5e2e1fb8014f5d340369a2252a1ff97ab67d099c9a4315

        SHA512

        b73aee0b78051f1b16535282bec757ce516d3a25d9af67cd358100663f352a9a571a6413846a46b96f3ac5b3137bfac418941c79e87ff7b58d41cdaa73051d6f

      • C:\Windows\Logo1_.exe

        Filesize

        26KB

        MD5

        f0eb54d6d17689ab4e229ce122317bbc

        SHA1

        93a5a82c43c6d4089ccccfc434985a9c3baa1dc4

        SHA256

        80da141e0ba00151479dedc491ae3a1d967e9e30f06b29a4eda22d6fd1ba03b6

        SHA512

        cd5c2bc37516daa390924b54f1108551437988303c4ce7aa33c2bb44418e78a7d68d129fa6769a3eae9fb7aa5281730e8282ab75c06a5cb63cc211f88a213f37

      • F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini

        Filesize

        9B

        MD5

        4f2460b507685f7d7bfe6393f335f1c9

        SHA1

        378d42f114b1515872e58de6662373af31ab8c7b

        SHA256

        47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42

        SHA512

        75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

      • memory/972-8-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/972-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/4788-26-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/4788-36-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/4788-32-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/4788-1230-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/4788-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/4788-4796-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/4788-10-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/4788-5235-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB