Overview

overview

8

Static

static

ffe44ba063...eb.exe

windows7-x64

8

ffe44ba063...eb.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    194s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 00:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ffe44ba0632afcc57e8864ab2931fae38d4795abfc53f703df9eeab311d525eb.exe

  • Size

    97KB

  • MD5

    164271a03f2c9df025f44a4eff1ce7d0

  • SHA1

    704aa0f010c29a261eff841232bd058d5405ca66

  • SHA256

    ffe44ba0632afcc57e8864ab2931fae38d4795abfc53f703df9eeab311d525eb

  • SHA512

    20f65860db29996ef239c6e5ff833d306c50221a16d5ed8a9501425a41b3b7e2802e738982cd39796cc3254d87f6791e7f6f00a4c7a5f2b738702663459c80a8

  • SSDEEP

    1536:rTtaYzMXqtGNtty1yVumRTT0f88qP2CsRdxgwGGCIOunToIfiWdN:rTtaY46tGNtty1pf8l2CHRGgKTBfik

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1244
      • C:\Users\Admin\AppData\Local\Temp\ffe44ba0632afcc57e8864ab2931fae38d4795abfc53f703df9eeab311d525eb.exe
        "C:\Users\Admin\AppData\Local\Temp\ffe44ba0632afcc57e8864ab2931fae38d4795abfc53f703df9eeab311d525eb.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1380
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:624
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF22C.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1164
            • C:\Users\Admin\AppData\Local\Temp\ffe44ba0632afcc57e8864ab2931fae38d4795abfc53f703df9eeab311d525eb.exe
              "C:\Users\Admin\AppData\Local\Temp\ffe44ba0632afcc57e8864ab2931fae38d4795abfc53f703df9eeab311d525eb.exe"
              4⤵
              • Executes dropped EXE
              PID:1876
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:376
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1468
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1832
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:916
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1824

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$aF22C.bat
            Filesize

            722B

            MD5

            6932a0607e65a777ac7067a046e9d6cb

            SHA1

            80751b30fc1a8049eacf610b87cc1cfb23221c5a

            SHA256

            147e37eda066403861edb31da950bdfdac0998dcf88393d34de4d498eb584a8b

            SHA512

            34338c4bfa9e768f991e65091c20eee1418d50d4863c45c0f995a578382e097bb99c7e1ccaea49dff276013245c1fdcc5446e5c86290a6c089a0d3bd912ced66

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\ffe44ba0632afcc57e8864ab2931fae38d4795abfc53f703df9eeab311d525eb.exe
            Filesize

            64KB

            MD5

            ae6ce17005c63b7e9bf15a2a21abb315

            SHA1

            9b6bdfb9d648fa422f54ec07b8c8ea70389c09eb

            SHA256

            4a3387a54eeca83f3a8ff1f5f282f7966c9e7bfe159c8eb45444cab01b3e167e

            SHA512

            c883a5f599540d636efc8c0abc05aab7bad0aa1b10ab507f43f18e0fba905a10b94ff2f1ba10ae0fee15cc1b90a165a768dc078fda0ac27474f0eef66f6a11af

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\ffe44ba0632afcc57e8864ab2931fae38d4795abfc53f703df9eeab311d525eb.exe.exe
            Filesize

            64KB

            MD5

            ae6ce17005c63b7e9bf15a2a21abb315

            SHA1

            9b6bdfb9d648fa422f54ec07b8c8ea70389c09eb

            SHA256

            4a3387a54eeca83f3a8ff1f5f282f7966c9e7bfe159c8eb45444cab01b3e167e

            SHA512

            c883a5f599540d636efc8c0abc05aab7bad0aa1b10ab507f43f18e0fba905a10b94ff2f1ba10ae0fee15cc1b90a165a768dc078fda0ac27474f0eef66f6a11af

            Download Submit
          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            560f6b919b175cc9c8c7428f21da9e66

            SHA1

            baca555c4a12b50908a5adcef4a3d2bebc7da7ba

            SHA256

            5964c8953c9114da5f806222bc73c0cebc4ccbe582ae610952c20cc74b7ae875

            SHA512

            6e1c3e044284a5bd1d361ab41e80cde3fc488d40ab8a9155952153f1564e87a2a0d7abf453dd8d9b1f6f1f5d9f506afe491431f83767aad7e8df2d59db8b69e6

            Download Submit
          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            560f6b919b175cc9c8c7428f21da9e66

            SHA1

            baca555c4a12b50908a5adcef4a3d2bebc7da7ba

            SHA256

            5964c8953c9114da5f806222bc73c0cebc4ccbe582ae610952c20cc74b7ae875

            SHA512

            6e1c3e044284a5bd1d361ab41e80cde3fc488d40ab8a9155952153f1564e87a2a0d7abf453dd8d9b1f6f1f5d9f506afe491431f83767aad7e8df2d59db8b69e6

            Download Submit
          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            560f6b919b175cc9c8c7428f21da9e66

            SHA1

            baca555c4a12b50908a5adcef4a3d2bebc7da7ba

            SHA256

            5964c8953c9114da5f806222bc73c0cebc4ccbe582ae610952c20cc74b7ae875

            SHA512

            6e1c3e044284a5bd1d361ab41e80cde3fc488d40ab8a9155952153f1564e87a2a0d7abf453dd8d9b1f6f1f5d9f506afe491431f83767aad7e8df2d59db8b69e6

            Download Submit
          • \Users\Admin\AppData\Local\Temp\ffe44ba0632afcc57e8864ab2931fae38d4795abfc53f703df9eeab311d525eb.exe
            Filesize

            64KB

            MD5

            ae6ce17005c63b7e9bf15a2a21abb315

            SHA1

            9b6bdfb9d648fa422f54ec07b8c8ea70389c09eb

            SHA256

            4a3387a54eeca83f3a8ff1f5f282f7966c9e7bfe159c8eb45444cab01b3e167e

            SHA512

            c883a5f599540d636efc8c0abc05aab7bad0aa1b10ab507f43f18e0fba905a10b94ff2f1ba10ae0fee15cc1b90a165a768dc078fda0ac27474f0eef66f6a11af

            Download Submit
          • \Users\Admin\AppData\Local\Temp\ffe44ba0632afcc57e8864ab2931fae38d4795abfc53f703df9eeab311d525eb.exe
            Filesize

            64KB

            MD5

            ae6ce17005c63b7e9bf15a2a21abb315

            SHA1

            9b6bdfb9d648fa422f54ec07b8c8ea70389c09eb

            SHA256

            4a3387a54eeca83f3a8ff1f5f282f7966c9e7bfe159c8eb45444cab01b3e167e

            SHA512

            c883a5f599540d636efc8c0abc05aab7bad0aa1b10ab507f43f18e0fba905a10b94ff2f1ba10ae0fee15cc1b90a165a768dc078fda0ac27474f0eef66f6a11af

            Download Submit
          • memory/376-75-0x0000000000400000-0x000000000043E000-memory.dmp
            Filesize

            248KB

            Download
          • memory/376-58-0x0000000000000000-mapping.dmp
            Download
          • memory/376-71-0x0000000000400000-0x000000000043E000-memory.dmp
            Filesize

            248KB

            Download
          • memory/624-56-0x0000000000000000-mapping.dmp
            Download
          • memory/916-73-0x0000000000000000-mapping.dmp
            Download
          • memory/1164-57-0x0000000000000000-mapping.dmp
            Download
          • memory/1380-55-0x0000000000000000-mapping.dmp
            Download
          • memory/1468-62-0x0000000000000000-mapping.dmp
            Download
          • memory/1528-60-0x0000000000400000-0x000000000043E000-memory.dmp
            Filesize

            248KB

            Download
          • memory/1528-54-0x0000000000400000-0x000000000043E000-memory.dmp
            Filesize

            248KB

            Download
          • memory/1824-74-0x0000000000000000-mapping.dmp
            Download
          • memory/1832-63-0x0000000000000000-mapping.dmp
            Download
          • memory/1876-70-0x0000000075611000-0x0000000075613000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1876-68-0x0000000000000000-mapping.dmp
            Download