Overview

overview

7

Static

static

3

b6c487a143...0a.exe

windows7-x64

7

b6c487a143...0a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6c487a143ebaee222cdf964a80757259ad3fdf2c20e03081b49b7dc496a170a.exe

  • Size

    820KB

  • MD5

    8a1da33ecdcf0b67a8c758404d67d069

  • SHA1

    8a062d78d05e2508428ba41b31e1d0b8259d48a4

  • SHA256

    b6c487a143ebaee222cdf964a80757259ad3fdf2c20e03081b49b7dc496a170a

  • SHA512

    54bb5d909e70ee99692c46b0f9cdc71242faa1025b830bc7f82e3bd864ff5cda41b1acdd46d77f594f1bd42b96addabf398e955217fc72a6b7bbecd86c573a95

  • SSDEEP

    24576:f7Q3LutmkEz+PAVV/OOInO4Xs2ztR4iegxLHgZpJE4VDd+:f7QbutmkO+wAOInO4XrztygxLHkJE4VB

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3472
      • C:\Users\Admin\AppData\Local\Temp\b6c487a143ebaee222cdf964a80757259ad3fdf2c20e03081b49b7dc496a170a.exe
        "C:\Users\Admin\AppData\Local\Temp\b6c487a143ebaee222cdf964a80757259ad3fdf2c20e03081b49b7dc496a170a.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4824
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7203.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4552
          • C:\Users\Admin\AppData\Local\Temp\b6c487a143ebaee222cdf964a80757259ad3fdf2c20e03081b49b7dc496a170a.exe
            "C:\Users\Admin\AppData\Local\Temp\b6c487a143ebaee222cdf964a80757259ad3fdf2c20e03081b49b7dc496a170a.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4744
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4396
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3968
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1868

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      244KB

      MD5

      f9c77f332e2fa0f0b2d4c4434c8be92d

      SHA1

      fd077ee2df037b1484de916c2f7764589e84686f

      SHA256

      20216e9cd954598df701d486ddc9a74122fa4b8ace8c623c68191570921faf6e

      SHA512

      0f6bcf4771b678afa3e171428fd118db7bb1d4f9be164084218ccb78c917e925da02aa05e192066504cc418e6d81be58f93ca9254c990c9b6ac18d17339e1fe5

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      570KB

      MD5

      1df1e21e226512331a1a485cbc0b8da6

      SHA1

      69b8e91f63c5cce97bfa081b7e739b1b8d2f2f11

      SHA256

      3766cca186d39ad66cce7b7d72801691b40fcc9ccf1e61d4618edcfa26d0da55

      SHA512

      e9ebf8c836daf69ccab57f70cca0f77a996dc4748f5c3200bcafe9e41b475fb80adf52851777370bfea2bb766be522ee5a39cb7f090a1465e4cefcf885630a0b

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      636KB

      MD5

      2500f702e2b9632127c14e4eaae5d424

      SHA1

      8726fef12958265214eeb58001c995629834b13a

      SHA256

      82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

      SHA512

      f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a7203.bat
      Filesize

      722B

      MD5

      26b5569d9cff53e2ea962f9386c1db6b

      SHA1

      0be22ae9806ad46f82837ce65d5df93880738d70

      SHA256

      48328eeaca47d1d5907779f63c23d3d099d2adbb542229536989cb856e697510

      SHA512

      91b7ff29244fbb8251777bfaeaadf0ac85cc54185907650400024bea582324f0043865637167251f955c954f55b450cd10b29029bb5d19ddfa225be648f88a83

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\b6c487a143ebaee222cdf964a80757259ad3fdf2c20e03081b49b7dc496a170a.exe.exe
      Filesize

      794KB

      MD5

      c6d0721e9156eb2a40a04bb38be0b2a5

      SHA1

      d0a3fcb3ad9f227a02d30abb767883b42fecc3a7

      SHA256

      2435e1e50c097608e6157efb1036946cfdd02d86728e8e00a02b207bee36e60d

      SHA512

      e254db10a7cffc4fe8c2d126dc4eb5029a84b2a931a67ad9ebfd04a8f3417e42a7dfb2e76d8911b2540bcf9eff9cbf92708b158dd8f53dbcbe7be51682ac3ad4

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      26KB

      MD5

      597dce3317f57eaac044ce19db3307f6

      SHA1

      665fde09122f6c76187190e8efa73db75c51e642

      SHA256

      170d6e27f17394d79f717570b49b94ae0d533b65219dfee4d0e047a5e7690b32

      SHA512

      a6a417d61b1040b3f63d1ca484b3d3c57e7850f29762e8ade063ba860e369cc91e0f4a82eaeb5bca63531b56cd37a909662445dc6bd8564dedb7de6ef4330a53

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-355097885-2402257403-2971294179-1000\_desktop.ini
      Filesize

      9B

      MD5

      475984718232cf008bb73666d834f1f4

      SHA1

      12f23c9301c222f599a279e02a811d274d0f4abc

      SHA256

      a5b32591119f87eb3c8a00c0c39e26ea6d6414aa9887d85fcb4903e1c14921b5

      SHA512

      80235dc2560b7991d79f9550cdeca6ac02c00cee6bf186f8f20d4ff3fbd7718be937b73ab768d71c4027e153557b08bbfd95ea88d2e0857a7c70cf1da6fa9937

      Download Submit

    • memory/4396-31-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4396-37-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4396-41-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4396-24-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4396-937-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4396-1238-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4396-4796-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4396-9-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4396-5241-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4824-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4824-11-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download