Overview

overview

8

Static

static

dab65ff785...23.exe

windows7-x64

8

dab65ff785...23.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    138s
  • max time network
    205s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 00:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe

  • Size

    33KB

  • MD5

    3499b6e1dfa63a3e59e8d21cd7871bde

  • SHA1

    8d180febba9d1bcea2ea9db93d3d4c812156be47

  • SHA256

    dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323

  • SHA512

    61097e32a70537953b2d0d82b471f47adde7ecc671718649c614b0ef2e18a0e70ffaaebb9239741f8581bc172b29e5c38da2f48b535f72070370ca91101d3ba9

  • SSDEEP

    768:P4X/IElOIEvzMXqtwp/lttaL7HP4wIncLRdR5kP78a0RJW/a:PKIaYzMXqtGNttyUn01Q78a4R

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2616
      • C:\Users\Admin\AppData\Local\Temp\dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
        "C:\Users\Admin\AppData\Local\Temp\dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe"
        2⤵
        • Drops file in Drivers directory
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3160
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2220
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1736
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1760
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:4972

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1736-134-0x0000000000000000-mapping.dmp

          Download

        • memory/1760-135-0x0000000000000000-mapping.dmp

          Download

        • memory/2220-132-0x0000000000000000-mapping.dmp

          Download

        • memory/3160-133-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/3160-137-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4972-136-0x0000000000000000-mapping.dmp

          Download