Overview

overview

8

Static

static

fe9c4f6833...b4.exe

windows7-x64

8

fe9c4f6833...b4.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 16:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe9c4f6833115c316369d8323973b19e637871cdcd62c5f36b92b1405ec450b4.exe

  • Size

    154KB

  • MD5

    6911e976059aace6b4c686d4c7f6c480

  • SHA1

    1763f56620469fa4ac981a7d72a5b09f3ea8e3d0

  • SHA256

    fe9c4f6833115c316369d8323973b19e637871cdcd62c5f36b92b1405ec450b4

  • SHA512

    904c5f8b8f359befaf57c0c6bd25947b126923ce022dfb0046c8b3d1712f96a74e5b2d03a6cbbe48c4fe4f5be2e9a39ec97a3a112131664ff1fc0440d97aff4d

  • SSDEEP

    3072:pwkuJVLIaDcmjfamFQ1GJaRrzjq3DeZ+jThFkY:ruJ9cm1FQ1G8RrzmX+Y

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1040
      • C:\Users\Admin\AppData\Local\Temp\fe9c4f6833115c316369d8323973b19e637871cdcd62c5f36b92b1405ec450b4.exe
        "C:\Users\Admin\AppData\Local\Temp\fe9c4f6833115c316369d8323973b19e637871cdcd62c5f36b92b1405ec450b4.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3808
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB163.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3700
          • C:\Users\Admin\AppData\Local\Temp\fe9c4f6833115c316369d8323973b19e637871cdcd62c5f36b92b1405ec450b4.exe
            "C:\Users\Admin\AppData\Local\Temp\fe9c4f6833115c316369d8323973b19e637871cdcd62c5f36b92b1405ec450b4.exe"
            4⤵
            • Executes dropped EXE
            PID:1384
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4328
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3140
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:308

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\$$aB163.bat
        Filesize

        722B

        MD5

        dba00991f70bbd6928c8aaf46f2f25ad

        SHA1

        6f09a03c94dcf028628a2191d5a075a0efb43a42

        SHA256

        6f315acfe8c55cf7b1e3d6382c2b280cfffe9506fb2fd166216bcbb80365050c

        SHA512

        b1633909b1db5f7363d9f94f02ea98c8a62dd1b985dfec6895bf5f2af0d41f58dc0712defa186e55da43eb84f2721e4e645384bd29827f9bd13db9f9f980a2d8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\fe9c4f6833115c316369d8323973b19e637871cdcd62c5f36b92b1405ec450b4.exe
        Filesize

        124KB

        MD5

        e4d04d2074ee74c56c1e5b1b316ab026

        SHA1

        3cf6d88c3b3605e9e8fed5cb101c551c65aa9555

        SHA256

        0b025849ba2d45240a2fa0f41eed7a84e356bab87b6b2ae0bb34c583b8c1bcb4

        SHA512

        dc53937812646c7164726d872799a2e2ff7fbcbdaa3547aa928d51ebe95eed78cd310bbeacc7b7d924556375cf158694a1c59ee2fc2b4adaaad92e911e29a7a6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\fe9c4f6833115c316369d8323973b19e637871cdcd62c5f36b92b1405ec450b4.exe.exe
        Filesize

        124KB

        MD5

        e4d04d2074ee74c56c1e5b1b316ab026

        SHA1

        3cf6d88c3b3605e9e8fed5cb101c551c65aa9555

        SHA256

        0b025849ba2d45240a2fa0f41eed7a84e356bab87b6b2ae0bb34c583b8c1bcb4

        SHA512

        dc53937812646c7164726d872799a2e2ff7fbcbdaa3547aa928d51ebe95eed78cd310bbeacc7b7d924556375cf158694a1c59ee2fc2b4adaaad92e911e29a7a6

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        3781429b8c1180e7bd7ed54714d12fa9

        SHA1

        0d6058a654eebe0cf921c34061427612d69dc0b1

        SHA256

        9ae25ace8978581345f1c0cbf25224e8e7f9ec4c1defaad0ddaef5c7ff628453

        SHA512

        438b6fe5e51a8e65c2dbb8edce7b62e45e0b0d9f75b4dfa1d1296b7e54f09170f8c65b30dff6164745fc0ca92eecf274ab4e761023adb7574fd50705d5f28ae9

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        3781429b8c1180e7bd7ed54714d12fa9

        SHA1

        0d6058a654eebe0cf921c34061427612d69dc0b1

        SHA256

        9ae25ace8978581345f1c0cbf25224e8e7f9ec4c1defaad0ddaef5c7ff628453

        SHA512

        438b6fe5e51a8e65c2dbb8edce7b62e45e0b0d9f75b4dfa1d1296b7e54f09170f8c65b30dff6164745fc0ca92eecf274ab4e761023adb7574fd50705d5f28ae9

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        29KB

        MD5

        3781429b8c1180e7bd7ed54714d12fa9

        SHA1

        0d6058a654eebe0cf921c34061427612d69dc0b1

        SHA256

        9ae25ace8978581345f1c0cbf25224e8e7f9ec4c1defaad0ddaef5c7ff628453

        SHA512

        438b6fe5e51a8e65c2dbb8edce7b62e45e0b0d9f75b4dfa1d1296b7e54f09170f8c65b30dff6164745fc0ca92eecf274ab4e761023adb7574fd50705d5f28ae9

        Download Submit

      • memory/3808-135-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4328-140-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4328-145-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download