Overview

overview

6

Static

static

3

20de04ec35...db.exe

windows7-x64

6

20de04ec35...db.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 06:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20de04ec35e4476ef9b009469791f672bb29aff69285f8ff1871bc89c7d7d1db.exe

  • Size

    26KB

  • MD5

    70d4176c1c7ea7039b3b5446bb28e756

  • SHA1

    58bf39974eae416d4fbe6da9ecd647d01a64dc5f

  • SHA256

    20de04ec35e4476ef9b009469791f672bb29aff69285f8ff1871bc89c7d7d1db

  • SHA512

    721e3a09fe766ae437ec58db26798a3521c7ee6c6d564c680c2e343858ed5c063000bc259e64b8bc34313c0ce3f31b480b0165d097a3790d8f284e17891b421d

  • SSDEEP

    768:utb1ODKAaDMG8H92RwZNQSwcfymNBg+g61Go0ssQ:AfgLdQAQfcfymN

Score
6/10
discovery

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3480
      • C:\Users\Admin\AppData\Local\Temp\20de04ec35e4476ef9b009469791f672bb29aff69285f8ff1871bc89c7d7d1db.exe
        "C:\Users\Admin\AppData\Local\Temp\20de04ec35e4476ef9b009469791f672bb29aff69285f8ff1871bc89c7d7d1db.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4740
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4888
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4196

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      244KB

      MD5

      d007587ae0cfcb431bace456ea07548c

      SHA1

      58855d80bb89cf958e4c5fa9b0aab6e10e5340d7

      SHA256

      afc15ace7ec581680d2602fde309d1a67677b307bacca60a2e3ee4d2ff2c7d2b

      SHA512

      bf6063cebe5b899d944ef51bdfb412816a4f57ada732c8e6c8b14aaf04063c06ffc58a1f15de50695e918ffddd1f9a7c42405935abcaa8984e4a32529eeaad64

      Download Submit

    • C:\Program Files\dotnet\dotnet.exe
      Filesize

      170KB

      MD5

      f60b49d7bc38f842b4878b827f28331d

      SHA1

      7ee81653ea322dca8d27a35ff40cca60eb3e11d0

      SHA256

      6a3e4344a697ad517c6b7a2b7d1471d5749e6f20872b9955a9a3806bfa30a6b2

      SHA512

      5a1929de3c8991387937d57db88fb41987a6407b2df885c8c78cea5815497f8b9f6c58ca2d655f3b2f784ab6ee90a037f8b7f8497d44e590d29bf5860fc7f552

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      636KB

      MD5

      6de1791996d651f3155ee087540c82cc

      SHA1

      34994156f2e73f83420a291d0aa9450412806f3c

      SHA256

      60f547c04735a2be00ad11512cefdc7dd07fa92877c74333e614eb7e0ea39953

      SHA512

      532aec603381095de5847384937a2076a8b93b20b04fb26f75fb5aef29be711a0b0a8f9d9506a5c05b848802b0d70c675c7360d30815a129b16a069cfaf74bb4

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2412658365-3084825385-3340777666-1000\_desktop.ini
      Filesize

      9B

      MD5

      82fa69b12ac2df558c85e86426eb13eb

      SHA1

      ad90b8756e3bebe04450f6950419c761844d7b7e

      SHA256

      f7622a3740b818722e46a36b5aeb1c0ba6bec25bec811e3dcfe0b5ba1d728775

      SHA512

      3c4da39d3b0d68ade3ff8ded69bf1e78a1ef88f7ed70c85572ae06e6be78155ffc2f557f577208e579191be2d8be2a1fa833b9ca74a35bb69cf9c32c23f4d99f

      Download Submit

    • memory/4740-13-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4740-18-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4740-22-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4740-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4740-390-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4740-1219-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4740-5-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4740-4777-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4740-5222-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download