Overview

overview

8

Static

static

a5453e8bdf...cf.exe

windows7-x64

8

a5453e8bdf...cf.exe

windows10-2004-x64

Analysis

  • max time kernel
    205s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 00:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5453e8bdfb74c89ae3df7d85fffb21367d09b398a5474af0d44d47ae7f8c2cf.exe

  • Size

    751KB

  • MD5

    01556b65dee807dead61c88aa71c0efc

  • SHA1

    629ef498b2fd362442b2b232a940860d94e38311

  • SHA256

    a5453e8bdfb74c89ae3df7d85fffb21367d09b398a5474af0d44d47ae7f8c2cf

  • SHA512

    0eb0d9a8543e23815efc0933fa24ad72cd410c7091cb89a7a7cbcd6f02d5b2aa699676b77afd94028dad3e83de5b77bae9e29fe212b4079316bb76ac6fb33818

  • SSDEEP

    12288:53Nc6QXqw9MgKnxYaGu5jji2YQ6MpzUK1bOnnCOazb4gR8wmq3/PFdTyVD:53NcDKnxYaXJi2Y3MpbwnCvzb4cbmYdU

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\a5453e8bdfb74c89ae3df7d85fffb21367d09b398a5474af0d44d47ae7f8c2cf.exe
        "C:\Users\Admin\AppData\Local\Temp\a5453e8bdfb74c89ae3df7d85fffb21367d09b398a5474af0d44d47ae7f8c2cf.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1192
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1260
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:828
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF8F0.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1524
            • C:\Users\Admin\AppData\Local\Temp\a5453e8bdfb74c89ae3df7d85fffb21367d09b398a5474af0d44d47ae7f8c2cf.exe
              "C:\Users\Admin\AppData\Local\Temp\a5453e8bdfb74c89ae3df7d85fffb21367d09b398a5474af0d44d47ae7f8c2cf.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:996
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:748
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1516
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1776
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:916
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1628

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$aF8F0.bat
            Filesize

            722B

            MD5

            ba2b3cbf7a6ce66d6a72a528a0f4fc24

            SHA1

            ada250caaa18a01e01f7fd60ef9a659ba6ea2948

            SHA256

            5acb101f6ea3124f58679c7ba6fceb6ad6107cedc5820cb99a20a995b405ea79

            SHA512

            8844e4a7aba10583f8b2e177aad91a312d7aeefdf90903f9a77c260a8b56c57916209ddca826bf3c0ec5af2c0d9385c31fab27c0f4ca4008de5b9129a0aa7042

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\a5453e8bdfb74c89ae3df7d85fffb21367d09b398a5474af0d44d47ae7f8c2cf.exe
            Filesize

            717KB

            MD5

            169c293ce9460a05646d17dc6aa2fb2c

            SHA1

            f0c018d61e844447dcc5a5734e1edff4997e59d5

            SHA256

            a7acecc562ee9c9ffbfba51bb5963a2e0c1a8fa9a5b6a8309988a5bcd48e70e6

            SHA512

            7c2e9ff8e3cce6873acc54276ede5db07d4936628e49199c2d1a308d912774370ffea17bbb3f1582c5f713328a17251064c58486e3434cb92b7498d46dbd901f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\a5453e8bdfb74c89ae3df7d85fffb21367d09b398a5474af0d44d47ae7f8c2cf.exe.exe
            Filesize

            717KB

            MD5

            169c293ce9460a05646d17dc6aa2fb2c

            SHA1

            f0c018d61e844447dcc5a5734e1edff4997e59d5

            SHA256

            a7acecc562ee9c9ffbfba51bb5963a2e0c1a8fa9a5b6a8309988a5bcd48e70e6

            SHA512

            7c2e9ff8e3cce6873acc54276ede5db07d4936628e49199c2d1a308d912774370ffea17bbb3f1582c5f713328a17251064c58486e3434cb92b7498d46dbd901f

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            3dd88b0ec0db473ba1ec88395d38b18f

            SHA1

            bbd8c3e6cc7eee419524004629d575ddc97c7e7a

            SHA256

            9ed6b0fbb8f973e5d17d716c844dd1a586829dc1b29d70ee1f56a6826fd00a0f

            SHA512

            ac44fb89011ee1129be139e0646c8a85e356e71f510320817b2926cd63fcbe0dd23c2384ce63edd7de75750bb5bff82f9ea3eb63bcd808bf495f2e3d8f204939

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            3dd88b0ec0db473ba1ec88395d38b18f

            SHA1

            bbd8c3e6cc7eee419524004629d575ddc97c7e7a

            SHA256

            9ed6b0fbb8f973e5d17d716c844dd1a586829dc1b29d70ee1f56a6826fd00a0f

            SHA512

            ac44fb89011ee1129be139e0646c8a85e356e71f510320817b2926cd63fcbe0dd23c2384ce63edd7de75750bb5bff82f9ea3eb63bcd808bf495f2e3d8f204939

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            3dd88b0ec0db473ba1ec88395d38b18f

            SHA1

            bbd8c3e6cc7eee419524004629d575ddc97c7e7a

            SHA256

            9ed6b0fbb8f973e5d17d716c844dd1a586829dc1b29d70ee1f56a6826fd00a0f

            SHA512

            ac44fb89011ee1129be139e0646c8a85e356e71f510320817b2926cd63fcbe0dd23c2384ce63edd7de75750bb5bff82f9ea3eb63bcd808bf495f2e3d8f204939

            Download Submit

          • \Users\Admin\AppData\Local\Temp\a5453e8bdfb74c89ae3df7d85fffb21367d09b398a5474af0d44d47ae7f8c2cf.exe
            Filesize

            717KB

            MD5

            169c293ce9460a05646d17dc6aa2fb2c

            SHA1

            f0c018d61e844447dcc5a5734e1edff4997e59d5

            SHA256

            a7acecc562ee9c9ffbfba51bb5963a2e0c1a8fa9a5b6a8309988a5bcd48e70e6

            SHA512

            7c2e9ff8e3cce6873acc54276ede5db07d4936628e49199c2d1a308d912774370ffea17bbb3f1582c5f713328a17251064c58486e3434cb92b7498d46dbd901f

            Download Submit

          • \Users\Admin\AppData\Local\Temp\a5453e8bdfb74c89ae3df7d85fffb21367d09b398a5474af0d44d47ae7f8c2cf.exe
            Filesize

            717KB

            MD5

            169c293ce9460a05646d17dc6aa2fb2c

            SHA1

            f0c018d61e844447dcc5a5734e1edff4997e59d5

            SHA256

            a7acecc562ee9c9ffbfba51bb5963a2e0c1a8fa9a5b6a8309988a5bcd48e70e6

            SHA512

            7c2e9ff8e3cce6873acc54276ede5db07d4936628e49199c2d1a308d912774370ffea17bbb3f1582c5f713328a17251064c58486e3434cb92b7498d46dbd901f

            Download Submit

          • memory/748-70-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/748-77-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/748-58-0x0000000000000000-mapping.dmp

            Download

          • memory/828-55-0x0000000000000000-mapping.dmp

            Download

          • memory/916-75-0x0000000000000000-mapping.dmp

            Download

          • memory/996-68-0x0000000000000000-mapping.dmp

            Download

          • memory/996-71-0x0000000075591000-0x0000000075593000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1192-56-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1192-60-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1260-54-0x0000000000000000-mapping.dmp

            Download

          • memory/1516-62-0x0000000000000000-mapping.dmp

            Download

          • memory/1524-57-0x0000000000000000-mapping.dmp

            Download

          • memory/1628-76-0x0000000000000000-mapping.dmp

            Download

          • memory/1776-65-0x0000000000000000-mapping.dmp

            Download