Overview

overview

8

Static

static

30921dec14...31.exe

windows7-x64

8

30921dec14...31.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 22:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    30921dec1452e8beba23059ffde675e5a509f3dc902c4a594e062b46ed9e0431.exe

  • Size

    180KB

  • MD5

    408c1bb0e6b776782fce5d05bafcf211

  • SHA1

    17cda0da8f37a1964b1cedf35b667d3ca322696e

  • SHA256

    30921dec1452e8beba23059ffde675e5a509f3dc902c4a594e062b46ed9e0431

  • SHA512

    9fbfecbba73f03b325d4142758948c2e98c317acae61733451ca3ebed641bf55e2fc679c3560617f3092cfbc5f0372e475555fe552a5122eea325827e639b1f0

  • SSDEEP

    3072:YftffjmNJLdTx0HPNncumAEib3S9nHCFlIRI90+mI:oVfjmNJLdTx0aumYbC9nHC0I904

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:760
      • C:\Users\Admin\AppData\Local\Temp\30921dec1452e8beba23059ffde675e5a509f3dc902c4a594e062b46ed9e0431.exe
        "C:\Users\Admin\AppData\Local\Temp\30921dec1452e8beba23059ffde675e5a509f3dc902c4a594e062b46ed9e0431.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6D21.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5068
          • C:\Users\Admin\AppData\Local\Temp\30921dec1452e8beba23059ffde675e5a509f3dc902c4a594e062b46ed9e0431.exe
            "C:\Users\Admin\AppData\Local\Temp\30921dec1452e8beba23059ffde675e5a509f3dc902c4a594e062b46ed9e0431.exe"
            4⤵
            • Executes dropped EXE
            PID:1924
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4396
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4284
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2268

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\$$a6D21.bat
              Filesize

              722B

              MD5

              1452591acb8ec58fa7040452633f4f73

              SHA1

              5726ee8014d13f74a5c941ca76594d12bebc5db8

              SHA256

              45040ef0e91d932c360f791682a40962261e4610744c74cd9cddffae19fbff50

              SHA512

              b0a29123751b3994b590443fa0f11cb545995bdcf525de4f9bdba22b2a4ea0b10c7aca0001b605011e078fa6e1981b94d4122e50059f2e7495e3ad0539cfa855

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\30921dec1452e8beba23059ffde675e5a509f3dc902c4a594e062b46ed9e0431.exe
              Filesize

              153KB

              MD5

              3919077672fdde6058cec5bccad5c481

              SHA1

              f2e39315b68517f8aa6349242176ca45b4ed1eec

              SHA256

              08dea5bfa8c6e9e8e1b41390c538c8b66827f68351d5d800859563dc00daba8a

              SHA512

              5b39b67e123267c7d7b37317c7937ba62dc59e4870763bbffe28ebb11c071d5797b6032e856908aac17854542c14a6f78b0cc96b7fe22634f868caae58f93a56

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\30921dec1452e8beba23059ffde675e5a509f3dc902c4a594e062b46ed9e0431.exe.exe
              Filesize

              153KB

              MD5

              3919077672fdde6058cec5bccad5c481

              SHA1

              f2e39315b68517f8aa6349242176ca45b4ed1eec

              SHA256

              08dea5bfa8c6e9e8e1b41390c538c8b66827f68351d5d800859563dc00daba8a

              SHA512

              5b39b67e123267c7d7b37317c7937ba62dc59e4870763bbffe28ebb11c071d5797b6032e856908aac17854542c14a6f78b0cc96b7fe22634f868caae58f93a56

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              26KB

              MD5

              73f465dafb1a342f4a789f78f8deb652

              SHA1

              87bb6209cdc09c1914f6562b2d45129e92cb69b8

              SHA256

              b712dfdc35f88006476bec926c14f3b085b8f2d38762a8977d62e4bc40eeac59

              SHA512

              5198754e4b83d7025dbb0d3338a1fe4472333bf89f105af4485e76406c16d7887acaca67020ab140093eab86537999f8a3ff325b34830967605074b7c925e3f2

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              26KB

              MD5

              73f465dafb1a342f4a789f78f8deb652

              SHA1

              87bb6209cdc09c1914f6562b2d45129e92cb69b8

              SHA256

              b712dfdc35f88006476bec926c14f3b085b8f2d38762a8977d62e4bc40eeac59

              SHA512

              5198754e4b83d7025dbb0d3338a1fe4472333bf89f105af4485e76406c16d7887acaca67020ab140093eab86537999f8a3ff325b34830967605074b7c925e3f2

              Download Submit

            • C:\Windows\rundl132.exe
              Filesize

              26KB

              MD5

              73f465dafb1a342f4a789f78f8deb652

              SHA1

              87bb6209cdc09c1914f6562b2d45129e92cb69b8

              SHA256

              b712dfdc35f88006476bec926c14f3b085b8f2d38762a8977d62e4bc40eeac59

              SHA512

              5198754e4b83d7025dbb0d3338a1fe4472333bf89f105af4485e76406c16d7887acaca67020ab140093eab86537999f8a3ff325b34830967605074b7c925e3f2

              Download Submit

            • memory/1308-138-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1308-132-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/4396-142-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/4396-146-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download