Overview

overview

8

Static

static

3

496452d080...eb.exe

windows7-x64

8

496452d080...eb.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/08/2024, 21:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    496452d080c52873f8332b2ea142a9a89dbd4391696149d0fb3f2464a30cd2eb.exe

  • Size

    106KB

  • MD5

    bfcd9e7bb870b2b2d46d56d236145418

  • SHA1

    723cf1794b4380ba67de8d3fb14a1166d79275d8

  • SHA256

    496452d080c52873f8332b2ea142a9a89dbd4391696149d0fb3f2464a30cd2eb

  • SHA512

    457a60a1b174b1074b4660b0be4f45db6314befa61a87dd16e6f17b803d6e9095d89572d3e6b94d524152af64cbd4522d533f9c81e1b088bc5c187d37b3aa3af

  • SSDEEP

    1536:TfgLdQAQfcfymNr92jcQoXh3zlNEx3nRf4EXtEZ/rL5mAK3N:TftffjmNrYAQWhjlNEx3nJzmrL5DSN

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Port Monitors 1 TTPs 1 IoCs

    Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

    persistence
  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3384
      • C:\Users\Admin\AppData\Local\Temp\496452d080c52873f8332b2ea142a9a89dbd4391696149d0fb3f2464a30cd2eb.exe
        "C:\Users\Admin\AppData\Local\Temp\496452d080c52873f8332b2ea142a9a89dbd4391696149d0fb3f2464a30cd2eb.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4868
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB3A0.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:448
          • C:\Users\Admin\AppData\Local\Temp\496452d080c52873f8332b2ea142a9a89dbd4391696149d0fb3f2464a30cd2eb.exe
            "C:\Users\Admin\AppData\Local\Temp\496452d080c52873f8332b2ea142a9a89dbd4391696149d0fb3f2464a30cd2eb.exe"
            4⤵
            • Boot or Logon Autostart Execution: Port Monitors
            • Executes dropped EXE
            PID:4480
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3012
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1360
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:5104

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      244KB

      MD5

      a2d4bf6246f865ce701c7e090854b155

      SHA1

      7e52d052ad5b98ac4d120de398ac621c3a499122

      SHA256

      7c04eb1013af998156fd5a4a3b191e55f2abcc4b5e504ae01ffaaf62c8d3fe5c

      SHA512

      34ec3468212abd18183c0844011dbcf8f9923084ef4421565806c000f87698865f26c0853b5af398ea1678c08018b9b4cd8f9f41093e2b84ec96a19ff56b989a

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      570KB

      MD5

      1f0c89210c0c2b6b401d6013df6c5470

      SHA1

      eed62ebf50a5470a3bd232b1d06642b738d2c1e4

      SHA256

      93798d7f52e9566661010d6e9eaab19923dbe45e3036c74e4f228be7dd44510f

      SHA512

      7a251b77deae50aa47f0cde3c631f4ce1be994758bdf00888a72485f5894d6b918d6948ca6422cd4b40062c377eb5c55c3b6585857c1d7b7d15de372be8fc5f0

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      636KB

      MD5

      2500f702e2b9632127c14e4eaae5d424

      SHA1

      8726fef12958265214eeb58001c995629834b13a

      SHA256

      82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

      SHA512

      f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aB3A0.bat
      Filesize

      722B

      MD5

      7828d185c0666670c8d3b42ab09192ba

      SHA1

      e21fcf0e80675e0e40cfbbd42ef766c5618c52af

      SHA256

      f6a425f9a5c0fa766cad82cc6b5639fa3a44e393e8cb4ab01fe47bce27752f76

      SHA512

      0e8028b6112d389364477b1c090a91b15dade5c9e574caa3323969224ec13b7df2c49f78c87944f70d79d99b6590cd8ee31d16a023639f06bf079abf34980424

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\496452d080c52873f8332b2ea142a9a89dbd4391696149d0fb3f2464a30cd2eb.exe.exe
      Filesize

      80KB

      MD5

      9917321020e7d0a5acc2a10aa4b990a8

      SHA1

      385bc850672af0ed72db3ef609a1dadc6cf4f505

      SHA256

      ca21b4956d566dd3225cb2fc22c6fa66e19ce63be626625e3f15bf67952d1e14

      SHA512

      4d5d5e1c60794f1620c783de6f17a8453e30c586d20c9308707bd0ba44ed4e17c97a0ad953b546953b157ebd7c1dc045be479d9d0e588886d78ffc1ad76d5ad8

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      26KB

      MD5

      37dc111dc9c93bf1cbf5c548ec05dfb3

      SHA1

      eaff3f4d4cf183d169892b72c9edc9b541f269c2

      SHA256

      56e0db15c975b652821fd3a08b11996354ebec6402f234790d95e50c37aa4ba4

      SHA512

      faabed4bfd64291487135767887e2f75f856f016d32f5b94b77eda375ac4fb86d94d35d171799520fa3b7208d8c9989af313de6df8f6caa0d12e007edd9d3bd3

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\_desktop.ini
      Filesize

      8B

      MD5

      5e797d005cfee3b802f98412c511983c

      SHA1

      1c65a747549afbed9971b65c604d64ec1f1ab898

      SHA256

      dcb1b824282c0cca0aaad7a62d7857039122e25a100766f82c85f227b36e4c88

      SHA512

      41116f81a81859b0608b0150a4cd791b3fba9e7516ff3eb98494a3802a3532dda052a2ed955d64c023fe6d8113079d7190df6f5bcc7ef86c8e743419a758706b

      Download Submit

    • memory/3012-27-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3012-33-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3012-37-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3012-20-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3012-1233-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3012-4792-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3012-10-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3012-5237-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4868-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4868-9-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download