Overview

overview

8

Static

static

fe9c4f6833...b4.exe

windows7-x64

8

fe9c4f6833...b4.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 16:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe9c4f6833115c316369d8323973b19e637871cdcd62c5f36b92b1405ec450b4.exe

  • Size

    154KB

  • MD5

    6911e976059aace6b4c686d4c7f6c480

  • SHA1

    1763f56620469fa4ac981a7d72a5b09f3ea8e3d0

  • SHA256

    fe9c4f6833115c316369d8323973b19e637871cdcd62c5f36b92b1405ec450b4

  • SHA512

    904c5f8b8f359befaf57c0c6bd25947b126923ce022dfb0046c8b3d1712f96a74e5b2d03a6cbbe48c4fe4f5be2e9a39ec97a3a112131664ff1fc0440d97aff4d

  • SSDEEP

    3072:pwkuJVLIaDcmjfamFQ1GJaRrzjq3DeZ+jThFkY:ruJ9cm1FQ1G8RrzmX+Y

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1356
      • C:\Users\Admin\AppData\Local\Temp\fe9c4f6833115c316369d8323973b19e637871cdcd62c5f36b92b1405ec450b4.exe
        "C:\Users\Admin\AppData\Local\Temp\fe9c4f6833115c316369d8323973b19e637871cdcd62c5f36b92b1405ec450b4.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:364
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7003.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1812
          • C:\Users\Admin\AppData\Local\Temp\fe9c4f6833115c316369d8323973b19e637871cdcd62c5f36b92b1405ec450b4.exe
            "C:\Users\Admin\AppData\Local\Temp\fe9c4f6833115c316369d8323973b19e637871cdcd62c5f36b92b1405ec450b4.exe"
            4⤵
            • Executes dropped EXE
            PID:984
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1700
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1944
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1936

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\$$a7003.bat
        Filesize

        722B

        MD5

        3a4e26e892ed10d3d75a3f29fe2c6157

        SHA1

        20ab35a3ffc6c7c8bd2bb2a8c741b974ba581cd4

        SHA256

        130c09371cdfa3921a26bac4669fd16a35f1929a4f79a336635831ddf4a75cb1

        SHA512

        bf59d42d469127b916f870a21b3f8accd717fa9ab701bb6778fa569789963bc59b7d2df11fd3577b244de515df1b61596bc51061774f5cae96606f57e049c112

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\fe9c4f6833115c316369d8323973b19e637871cdcd62c5f36b92b1405ec450b4.exe
        Filesize

        124KB

        MD5

        e4d04d2074ee74c56c1e5b1b316ab026

        SHA1

        3cf6d88c3b3605e9e8fed5cb101c551c65aa9555

        SHA256

        0b025849ba2d45240a2fa0f41eed7a84e356bab87b6b2ae0bb34c583b8c1bcb4

        SHA512

        dc53937812646c7164726d872799a2e2ff7fbcbdaa3547aa928d51ebe95eed78cd310bbeacc7b7d924556375cf158694a1c59ee2fc2b4adaaad92e911e29a7a6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\fe9c4f6833115c316369d8323973b19e637871cdcd62c5f36b92b1405ec450b4.exe.exe
        Filesize

        124KB

        MD5

        e4d04d2074ee74c56c1e5b1b316ab026

        SHA1

        3cf6d88c3b3605e9e8fed5cb101c551c65aa9555

        SHA256

        0b025849ba2d45240a2fa0f41eed7a84e356bab87b6b2ae0bb34c583b8c1bcb4

        SHA512

        dc53937812646c7164726d872799a2e2ff7fbcbdaa3547aa928d51ebe95eed78cd310bbeacc7b7d924556375cf158694a1c59ee2fc2b4adaaad92e911e29a7a6

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        3781429b8c1180e7bd7ed54714d12fa9

        SHA1

        0d6058a654eebe0cf921c34061427612d69dc0b1

        SHA256

        9ae25ace8978581345f1c0cbf25224e8e7f9ec4c1defaad0ddaef5c7ff628453

        SHA512

        438b6fe5e51a8e65c2dbb8edce7b62e45e0b0d9f75b4dfa1d1296b7e54f09170f8c65b30dff6164745fc0ca92eecf274ab4e761023adb7574fd50705d5f28ae9

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        3781429b8c1180e7bd7ed54714d12fa9

        SHA1

        0d6058a654eebe0cf921c34061427612d69dc0b1

        SHA256

        9ae25ace8978581345f1c0cbf25224e8e7f9ec4c1defaad0ddaef5c7ff628453

        SHA512

        438b6fe5e51a8e65c2dbb8edce7b62e45e0b0d9f75b4dfa1d1296b7e54f09170f8c65b30dff6164745fc0ca92eecf274ab4e761023adb7574fd50705d5f28ae9

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        29KB

        MD5

        3781429b8c1180e7bd7ed54714d12fa9

        SHA1

        0d6058a654eebe0cf921c34061427612d69dc0b1

        SHA256

        9ae25ace8978581345f1c0cbf25224e8e7f9ec4c1defaad0ddaef5c7ff628453

        SHA512

        438b6fe5e51a8e65c2dbb8edce7b62e45e0b0d9f75b4dfa1d1296b7e54f09170f8c65b30dff6164745fc0ca92eecf274ab4e761023adb7574fd50705d5f28ae9

        Download Submit

      • \Users\Admin\AppData\Local\Temp\fe9c4f6833115c316369d8323973b19e637871cdcd62c5f36b92b1405ec450b4.exe
        Filesize

        124KB

        MD5

        e4d04d2074ee74c56c1e5b1b316ab026

        SHA1

        3cf6d88c3b3605e9e8fed5cb101c551c65aa9555

        SHA256

        0b025849ba2d45240a2fa0f41eed7a84e356bab87b6b2ae0bb34c583b8c1bcb4

        SHA512

        dc53937812646c7164726d872799a2e2ff7fbcbdaa3547aa928d51ebe95eed78cd310bbeacc7b7d924556375cf158694a1c59ee2fc2b4adaaad92e911e29a7a6

        Download Submit

      • memory/364-54-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1700-67-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1700-68-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download