Overview

overview

6

Static

static

3

934ae507f1...60.exe

windows7-x64

6

934ae507f1...60.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-07-2024 07:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    934ae507f1126e3aae3d9ff51ecaca6fbbbcc8c716ef2d0ea6b84ad67e346f60.exe

  • Size

    26KB

  • MD5

    018bb372281ce4f7e8a92a3d76007b19

  • SHA1

    697cce925b43cb4729a2fe8e99e8cbb526db1b14

  • SHA256

    934ae507f1126e3aae3d9ff51ecaca6fbbbcc8c716ef2d0ea6b84ad67e346f60

  • SHA512

    0ddaabfffe7afa118e6b50fe95bd9df4e7bdb07c0f967881fbe5f83cf3ee725d4164086ad06f3c957c5bbb62e880f53b727a203ca795426149fec043221e4d03

  • SSDEEP

    768:q71ODKAaDMG8H92RwZNQSw+JnbmQj3FZJ9Vs9XnsD:CfgLdQAQfwt7FZJ92Bs

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3504
      • C:\Users\Admin\AppData\Local\Temp\934ae507f1126e3aae3d9ff51ecaca6fbbbcc8c716ef2d0ea6b84ad67e346f60.exe
        "C:\Users\Admin\AppData\Local\Temp\934ae507f1126e3aae3d9ff51ecaca6fbbbcc8c716ef2d0ea6b84ad67e346f60.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1368
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3152
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:640

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        06ab13543199f6bdec5d9811354e1b64

        SHA1

        1aecff8a4cb3d7ca4467b7817202a222f54042d6

        SHA256

        76c41c711043934762f2551e30d30484c5109582dfffc44dc2d8348ca438bc66

        SHA512

        270ee9e691b759ce4f8813460c21c0ddd968ba5f8e81c47fb2ede84bcaa5bcfa2a7d36b31ba3f3c922725b5f70b195be60cf16493cacfcc309e4f2442c4ac2e7

        Download Submit

      • C:\Program Files\dotnet\dotnet.exe
        Filesize

        170KB

        MD5

        cc1d0a67de4709535c8328192c1b483f

        SHA1

        e3f912ef17a89bec7e8004304eb10cbb6f36140e

        SHA256

        98f139d3510b78d2856230b899b28f9b55af567bfc4d43b9dee089a6c1be0633

        SHA512

        4ccc8a7c2acd8e901a82247dbee77a2ac603823a11e7dab58cfcd9fbb6dcc8133d293181e1a12d790b92cb78f5fb38c17e4b1c9435aa9b6d4fdaf3f27bdd4a48

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        636KB

        MD5

        26f10ae795ba6df10c2779f4a535b449

        SHA1

        f00986886ad07550c909b9f02b7b3a9c310e8b0f

        SHA256

        996761040fa3726dbdda9dd94f543e7d0f26f58b5c7a122e900e56b2dacdc7b8

        SHA512

        5f5ea3a050876256571610eec85456ac6b3469ddaa10a6c62d621081718cf8eeedc21cf6381c49c835c6b61690b7c41107b357bb14c044ace1dfe7f827baa93c

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2753856825-3907105642-1818461144-1000\_desktop.ini
        Filesize

        8B

        MD5

        62ed51082fc4fc1bd95074d15b55235d

        SHA1

        80c24bf5b2829be9d39199229ec9396e371f4080

        SHA256

        8aaff1179c8780f4fee8d0594a58b0c3a9e7b013a76908bd05dac636f7af1302

        SHA512

        19aecc53c5cebcecf9c5889e305e1129ebbdf42d1c414713aa2a4a98e8725ad156f6cd72562f7bb3001ee8d33ed8d5d47704f757001913117633b5151e6aeaf4

        Download Submit

      • memory/1368-12-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1368-18-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1368-22-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1368-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1368-1046-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1368-1213-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1368-5-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1368-4403-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1368-4776-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1368-5221-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download