Overview

overview

8

Static

static

93ef6ec35f...42.exe

windows7-x64

8

93ef6ec35f...42.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    188s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2022 00:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    93ef6ec35f8f667551091510ab511a4d4ec349188f808c76782e0e70a3daae42.exe

  • Size

    112KB

  • MD5

    6f5aac6e26ef2b4d76e96067186f6bd0

  • SHA1

    35df376831b69ffcd7c7feefdc9c0f2f826b4365

  • SHA256

    93ef6ec35f8f667551091510ab511a4d4ec349188f808c76782e0e70a3daae42

  • SHA512

    4ddd6581525e0b5d234a1ad6bd224ed8502534d79361579d34dab6a5ce4608bdd4517b572d2e2cb925b47d26b3ee41c53421bd2ace0bb8e35c71135b44a7a01a

  • SSDEEP

    3072:yftffV+RusUrMzkm8PL3E7Qw/STyr5Jks7M/2:CVfw8szkmIL3E7QPQLE2

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1220
      • C:\Users\Admin\AppData\Local\Temp\93ef6ec35f8f667551091510ab511a4d4ec349188f808c76782e0e70a3daae42.exe
        "C:\Users\Admin\AppData\Local\Temp\93ef6ec35f8f667551091510ab511a4d4ec349188f808c76782e0e70a3daae42.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9619.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2044
          • C:\Users\Admin\AppData\Local\Temp\93ef6ec35f8f667551091510ab511a4d4ec349188f808c76782e0e70a3daae42.exe
            "C:\Users\Admin\AppData\Local\Temp\93ef6ec35f8f667551091510ab511a4d4ec349188f808c76782e0e70a3daae42.exe"
            4⤵
            • Executes dropped EXE
            PID:956
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1740
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2028
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:320

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\$$a9619.bat
        Filesize

        722B

        MD5

        fd3e6ac6f233cceafd511f1e0817d1c4

        SHA1

        9d05af0bbe0b3c00e6dbddfa6b55e23eeeef40a3

        SHA256

        1707db7eb30aa08b38eee11d07208063c19c8feb8ca8e6f63fe5bd860b1c33af

        SHA512

        66e5cff8bcf44a2267192265eb1681dda2c3cd3d5ca89dd90f2c4d9940767b7e62d5a0d107a7b8ed49c0ffa95dba1cd0a8d4a9bb5c5727da1169bbd0980a5127

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\93ef6ec35f8f667551091510ab511a4d4ec349188f808c76782e0e70a3daae42.exe
        Filesize

        86KB

        MD5

        72dfd72927e77f491f786648e74edfc5

        SHA1

        7fb9e4b3ab6a5bfe5e78a36194407f56ce96e61a

        SHA256

        6c0473a4f79ad36f2526f190db19582af27988128b6fac96720bace7f5c271e1

        SHA512

        0842a4866c8b78f502023c9430520f3595b4f3938f3be8ab3fbb7f72660a78c7219da817d4071d6908442b933f8f71840040188db86d5a97bc620345ce4bf695

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\93ef6ec35f8f667551091510ab511a4d4ec349188f808c76782e0e70a3daae42.exe.exe
        Filesize

        86KB

        MD5

        72dfd72927e77f491f786648e74edfc5

        SHA1

        7fb9e4b3ab6a5bfe5e78a36194407f56ce96e61a

        SHA256

        6c0473a4f79ad36f2526f190db19582af27988128b6fac96720bace7f5c271e1

        SHA512

        0842a4866c8b78f502023c9430520f3595b4f3938f3be8ab3fbb7f72660a78c7219da817d4071d6908442b933f8f71840040188db86d5a97bc620345ce4bf695

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        3d02e9a181d3ed5b125e56a1987b5bdb

        SHA1

        a9ef3500a71f0a29260039de0f4d80bc51f43912

        SHA256

        882c4645013972204e5c933033fa05512a17a5205bbef8144b96fb6ebb4d6825

        SHA512

        b0de499cef5cf1dfcb44c7cee3ccde49e23a061818f55a55bb766855c7e7c98d043ab54ea9f21c76f94c42f41fe272100e22f1d35fa88331f01c2a83245444b1

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        3d02e9a181d3ed5b125e56a1987b5bdb

        SHA1

        a9ef3500a71f0a29260039de0f4d80bc51f43912

        SHA256

        882c4645013972204e5c933033fa05512a17a5205bbef8144b96fb6ebb4d6825

        SHA512

        b0de499cef5cf1dfcb44c7cee3ccde49e23a061818f55a55bb766855c7e7c98d043ab54ea9f21c76f94c42f41fe272100e22f1d35fa88331f01c2a83245444b1

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        3d02e9a181d3ed5b125e56a1987b5bdb

        SHA1

        a9ef3500a71f0a29260039de0f4d80bc51f43912

        SHA256

        882c4645013972204e5c933033fa05512a17a5205bbef8144b96fb6ebb4d6825

        SHA512

        b0de499cef5cf1dfcb44c7cee3ccde49e23a061818f55a55bb766855c7e7c98d043ab54ea9f21c76f94c42f41fe272100e22f1d35fa88331f01c2a83245444b1

        Download Submit

      • \Users\Admin\AppData\Local\Temp\93ef6ec35f8f667551091510ab511a4d4ec349188f808c76782e0e70a3daae42.exe
        Filesize

        86KB

        MD5

        72dfd72927e77f491f786648e74edfc5

        SHA1

        7fb9e4b3ab6a5bfe5e78a36194407f56ce96e61a

        SHA256

        6c0473a4f79ad36f2526f190db19582af27988128b6fac96720bace7f5c271e1

        SHA512

        0842a4866c8b78f502023c9430520f3595b4f3938f3be8ab3fbb7f72660a78c7219da817d4071d6908442b933f8f71840040188db86d5a97bc620345ce4bf695

        Download Submit

      • memory/1740-67-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1740-68-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1916-57-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download