Overview

overview

6

Static

static

3

17c423946e...fb.exe

windows7-x64

6

17c423946e...fb.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/09/2024, 16:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17c423946eb6bc020c324cbdb9c8a8b545c5a44955ba9c7614c41b509c561bfb.exe

  • Size

    29KB

  • MD5

    d284a21fe9a6739bbac331de3ee5024a

  • SHA1

    d8dae7b29d57e68cba6fd563aa5d3c7f433d421f

  • SHA256

    17c423946eb6bc020c324cbdb9c8a8b545c5a44955ba9c7614c41b509c561bfb

  • SHA512

    c51ace5fb0803c0d88792a7c61c8fd3047af72a5e07d6b3f8bb252939dd27722a1675d9bd439192ad501225202ce4083642591f52d453f68b3bc09486afb1e1d

  • SSDEEP

    384:sbb4trq1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRS/0z6B:4irq16GVRu1yK9fMnJG2V9dL

Score
6/10
discovery

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3464
      • C:\Users\Admin\AppData\Local\Temp\17c423946eb6bc020c324cbdb9c8a8b545c5a44955ba9c7614c41b509c561bfb.exe
        "C:\Users\Admin\AppData\Local\Temp\17c423946eb6bc020c324cbdb9c8a8b545c5a44955ba9c7614c41b509c561bfb.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:228
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5016
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1416

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      247KB

      MD5

      59314863b82fc4d8c089355eaf2a4ba5

      SHA1

      abcc991af0baaa9013aa8d0a62001fe54ca9a3d1

      SHA256

      345fa3cc66298d78d29e3ac455702cc22f93a0d4649ad9d2b0d1390eda405cf1

      SHA512

      a4240883dc5b6b98e72833d6c3fdb6228fac74a78534207aaf918ce3eafd3fc48527667333a79c3daff99fb6208b9cb959a6622fe77c3609276d7fa801dfc4ca

      Download Submit

    • C:\Program Files\dotnet\dotnet.exe
      Filesize

      173KB

      MD5

      cb3e5c658f8efbe5998f4946c07125a5

      SHA1

      9904701c2c0c3a89b1113e80fdab60e5f9235bd6

      SHA256

      951ad25acaaf917850590c4f8a7fd19a758d94142b0dc74acc61d6ee22ede63d

      SHA512

      4dd05aedb9ba663ccee5cb65f83d021b2742a3dc262e33dab2586185d910f7a0daf52abd9b5cc428a6fb2ab017e3185236b987f23e4b6a270e29b96da7f788f0

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      639KB

      MD5

      17597a6d51527228f8965ac7d71bcbb9

      SHA1

      052b817f9a3d3fbc5a8f1a40504960a9265866f0

      SHA256

      7a10ccbccbeaf81905c2dc7f89f67c5ec2e15e77bb6c6987a4bb06bccc802c88

      SHA512

      662d549d1b1f09d517e7b3b4c9659efc5915b6c1a3e9f7075a4a5ba5954c1ba54e6f187e97537f444e2d33e4d342d4872ed8dd6212094492bd990d091f438958

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-786284298-625481688-3210388970-1000\_desktop.ini
      Filesize

      9B

      MD5

      f74f4ac317419affe59fa4d389dd7e7c

      SHA1

      010f494382d5a64298702fe3732c9b96f438c653

      SHA256

      74fafb0f14fb17a8a4963d5f46fc50b3517e7aa13414ac5f42edfdf212a9bb01

      SHA512

      f82fea1632b97d2b6771f43a6941c84d7fbb86f4c4f69e9b4335aa0e166e2670f09d451da61b13cb16994b9294e99b1cfa27f2447579645b3886b7bd014cc00f

      Download Submit

    • memory/228-22-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/228-18-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/228-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/228-13-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/228-405-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/228-1219-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/228-6-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/228-4770-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/228-5-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/228-5215-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download