Overview

overview

8

Static

static

93ef6ec35f...42.exe

windows7-x64

8

93ef6ec35f...42.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    187s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2022, 00:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    93ef6ec35f8f667551091510ab511a4d4ec349188f808c76782e0e70a3daae42.exe

  • Size

    112KB

  • MD5

    6f5aac6e26ef2b4d76e96067186f6bd0

  • SHA1

    35df376831b69ffcd7c7feefdc9c0f2f826b4365

  • SHA256

    93ef6ec35f8f667551091510ab511a4d4ec349188f808c76782e0e70a3daae42

  • SHA512

    4ddd6581525e0b5d234a1ad6bd224ed8502534d79361579d34dab6a5ce4608bdd4517b572d2e2cb925b47d26b3ee41c53421bd2ace0bb8e35c71135b44a7a01a

  • SSDEEP

    3072:yftffV+RusUrMzkm8PL3E7Qw/STyr5Jks7M/2:CVfw8szkmIL3E7QPQLE2

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2576
      • C:\Users\Admin\AppData\Local\Temp\93ef6ec35f8f667551091510ab511a4d4ec349188f808c76782e0e70a3daae42.exe
        "C:\Users\Admin\AppData\Local\Temp\93ef6ec35f8f667551091510ab511a4d4ec349188f808c76782e0e70a3daae42.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4816
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF42.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4924
          • C:\Users\Admin\AppData\Local\Temp\93ef6ec35f8f667551091510ab511a4d4ec349188f808c76782e0e70a3daae42.exe
            "C:\Users\Admin\AppData\Local\Temp\93ef6ec35f8f667551091510ab511a4d4ec349188f808c76782e0e70a3daae42.exe"
            4⤵
            • Executes dropped EXE
            PID:1688
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4788
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1396
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:3096

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\$$aF42.bat
        Filesize

        721B

        MD5

        8be744d1f171feaa43f1be5cd7d1c713

        SHA1

        0b9b5b4cf2fee60f956d7a99eef4ee8f54537b73

        SHA256

        ebde8f2c40f2969e65fab12c54aa3f83e4f68ca6fafb285290d9ba040fbd4151

        SHA512

        4b9ac963461ca234ff0f2d1f453aaac2ee6238feb22f3e5b07c666e1a427142f2278b9c3ea96c6b87661cbac5f0ac15f3c7267024fc0a4a27661517e1e759d02

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\93ef6ec35f8f667551091510ab511a4d4ec349188f808c76782e0e70a3daae42.exe
        Filesize

        86KB

        MD5

        72dfd72927e77f491f786648e74edfc5

        SHA1

        7fb9e4b3ab6a5bfe5e78a36194407f56ce96e61a

        SHA256

        6c0473a4f79ad36f2526f190db19582af27988128b6fac96720bace7f5c271e1

        SHA512

        0842a4866c8b78f502023c9430520f3595b4f3938f3be8ab3fbb7f72660a78c7219da817d4071d6908442b933f8f71840040188db86d5a97bc620345ce4bf695

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\93ef6ec35f8f667551091510ab511a4d4ec349188f808c76782e0e70a3daae42.exe.exe
        Filesize

        86KB

        MD5

        72dfd72927e77f491f786648e74edfc5

        SHA1

        7fb9e4b3ab6a5bfe5e78a36194407f56ce96e61a

        SHA256

        6c0473a4f79ad36f2526f190db19582af27988128b6fac96720bace7f5c271e1

        SHA512

        0842a4866c8b78f502023c9430520f3595b4f3938f3be8ab3fbb7f72660a78c7219da817d4071d6908442b933f8f71840040188db86d5a97bc620345ce4bf695

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        3d02e9a181d3ed5b125e56a1987b5bdb

        SHA1

        a9ef3500a71f0a29260039de0f4d80bc51f43912

        SHA256

        882c4645013972204e5c933033fa05512a17a5205bbef8144b96fb6ebb4d6825

        SHA512

        b0de499cef5cf1dfcb44c7cee3ccde49e23a061818f55a55bb766855c7e7c98d043ab54ea9f21c76f94c42f41fe272100e22f1d35fa88331f01c2a83245444b1

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        3d02e9a181d3ed5b125e56a1987b5bdb

        SHA1

        a9ef3500a71f0a29260039de0f4d80bc51f43912

        SHA256

        882c4645013972204e5c933033fa05512a17a5205bbef8144b96fb6ebb4d6825

        SHA512

        b0de499cef5cf1dfcb44c7cee3ccde49e23a061818f55a55bb766855c7e7c98d043ab54ea9f21c76f94c42f41fe272100e22f1d35fa88331f01c2a83245444b1

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        3d02e9a181d3ed5b125e56a1987b5bdb

        SHA1

        a9ef3500a71f0a29260039de0f4d80bc51f43912

        SHA256

        882c4645013972204e5c933033fa05512a17a5205bbef8144b96fb6ebb4d6825

        SHA512

        b0de499cef5cf1dfcb44c7cee3ccde49e23a061818f55a55bb766855c7e7c98d043ab54ea9f21c76f94c42f41fe272100e22f1d35fa88331f01c2a83245444b1

        Download Submit

      • memory/4788-140-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4788-145-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4816-133-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download