e5e57cc01f94cd129db4fd88860253c0936cb2612a734cb176924ddfa3ffb862

Resubmissions

01/04/2023, 05:43

230401-ge1rcsgc39 8

01/04/2023, 05:42

01/04/2023, 04:26

01/04/2023, 02:49

01/04/2023, 02:31

01/04/2023, 02:27

Analysis

max time kernel
135s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2023, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

drfone_setup_full3824 (1).exe
Size

2.2MB
MD5

ee06eafbe8972c749a5161e54d3fdcd6
SHA1

80f4197cf15c36acaf37a1ab8159ec4ab2368c26
SHA256

e5e57cc01f94cd129db4fd88860253c0936cb2612a734cb176924ddfa3ffb862
SHA512

116c7274a1adc3274c046dfdeaf8b187ec31d42dd523522e372b3ce05aada949c4a56856a4cf9c2dfaa2571c5ec62a7629e476d72e8259fa854cfa921b4f83c9
SSDEEP

49152:suI4s4xwYeRQXEEpusP5uKKNeEzo/I/P5jaYRTkTun99ZS6Y0fxfNrBFS:b2Q30rNeEzoiP5ja0397Sb0fxfNrfS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4704	NFWCHK.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3732	drfone_setup_full3824 (1).exe
3732	drfone_setup_full3824 (1).exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 4704	3732	drfone_setup_full3824 (1).exe	82
PID 3732 wrote to memory of 4704	3732	drfone_setup_full3824 (1).exe	82

C:\Users\Admin\AppData\Local\Temp\drfone_setup_full3824 (1).exe
"C:\Users\Admin\AppData\Local\Temp\drfone_setup_full3824 (1).exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  2⤵
  - Executes dropped EXE
  PID:4704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
496B

MD5
fe19c8a439b8495b5f826c9d2e1eebe5

SHA1
f44641cc3ad59c2d73dfa8249cc38a7f62a3e3ab

SHA256
b5cfdc876e4612a38c36b19b2d7ea0a26f381f559e5e6c608d826b846bbcb5ce

SHA512
ec28ce9e540a15314a4a66078c83d2bc38e02f3983a61ebefee3571cd7b692f12ad59dc62ec3c20ecdf0d5e00154a5055331bbbfd28c750920881c7efa22afb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
945B

MD5
b025997ad8b83001ceee5518e0618855

SHA1
c8de1a6c1f4674e2e48986f15c29904f7dfa72e3

SHA256
ca381e3da2f89f656b2ff7619d3888118e4cb8625c9e5968be5cf734d0f37b06

SHA512
ea861ee643a14b8bd47d96b63d077d32f37cb7b9c26ecf48d6b53b5e35c0247b0d0bdefaf5590e6013fa532c4a27af89e4439de998b08b2c2ce97b39364aa99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
1KB

MD5
124909a97ca8666ddc88708addefcb46

SHA1
4802ef02a653c03f1ac87385e8f2b182cc66cc7c

SHA256
0736644cef4d47caa5daefa8da889ecd1e614f6ee27e96989c1fdb6da5b3435c

SHA512
d6937202e6745be97efb9c0d7293fd66e02a7cdd1e245fde6586234c89213d367ea164290943aab7465e01565d838261de1c480c1b829a33e1a5dbcc518dc905

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
7KB

MD5
c7367a5aca72146a2376d17963481b26

SHA1
db340522686b0d632777ad5080f0aa6a4e4371a1

SHA256
0603ebaa747e45d8db3488ee86ca8bc2afef22403e9f0c4e4d76eb8c8b03a8f8

SHA512
3e7259eaf5d6e17cf08b4f5736f405770bdb34916595471b3fcc41f8ced1ae84085b75afe7ea60750ce55c3958a7c3283c59b17d4ada00f667a01910d140fb52

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config

Filesize
229B

MD5
ad0967a0ab95aa7d71b3dc92b71b8f7a

SHA1
ed63f517e32094c07a2c5b664ed1cab412233ab5

SHA256
9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc

SHA512
85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b

Download Submit
memory/4704-1208-0x0000000001460000-0x0000000001484000-memory.dmp

Filesize
144KB

Download
memory/4704-1207-0x00000000008C0000-0x00000000008C8000-memory.dmp

Filesize
32KB

Download
memory/4704-1209-0x0000000001490000-0x00000000014A8000-memory.dmp

Filesize
96KB

Download
memory/4704-1210-0x000000001B720000-0x000000001B740000-memory.dmp

Filesize
128KB

Download
memory/4704-1211-0x000000001B740000-0x000000001BA4E000-memory.dmp

Filesize
3.1MB

Download
memory/4704-1212-0x00000000012C0000-0x00000000012D0000-memory.dmp

Filesize
64KB

Download
memory/4704-1213-0x000000001BEF0000-0x000000001BF39000-memory.dmp

Filesize
292KB

Download
memory/4704-1214-0x000000001BFB0000-0x000000001C012000-memory.dmp

Filesize
392KB

Download
memory/4704-1215-0x000000001C4F0000-0x000000001C9BE000-memory.dmp

Filesize
4.8MB

Download
memory/4704-1216-0x000000001CA60000-0x000000001CAFC000-memory.dmp

Filesize
624KB

Download
memory/4704-1217-0x000000001BE80000-0x000000001BE88000-memory.dmp

Filesize
32KB

Download
memory/4704-1218-0x000000001CF30000-0x000000001CF6E000-memory.dmp

Filesize
248KB

Download