e5e57cc01f94cd129db4fd88860253c0936cb2612a734cb176924ddfa3ffb862

Resubmissions

01/04/2023, 05:43

230401-ge1rcsgc39 8

01/04/2023, 05:42

01/04/2023, 04:26

01/04/2023, 02:49

01/04/2023, 02:31

01/04/2023, 02:27

Analysis

max time kernel
109s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2023, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

drfone_setup_full3824 (1).exe
Size

2.2MB
MD5

ee06eafbe8972c749a5161e54d3fdcd6
SHA1

80f4197cf15c36acaf37a1ab8159ec4ab2368c26
SHA256

e5e57cc01f94cd129db4fd88860253c0936cb2612a734cb176924ddfa3ffb862
SHA512

116c7274a1adc3274c046dfdeaf8b187ec31d42dd523522e372b3ce05aada949c4a56856a4cf9c2dfaa2571c5ec62a7629e476d72e8259fa854cfa921b4f83c9
SSDEEP

49152:suI4s4xwYeRQXEEpusP5uKKNeEzo/I/P5jaYRTkTun99ZS6Y0fxfNrBFS:b2Q30rNeEzoiP5ja0397Sb0fxfNrfS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4368	NFWCHK.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4248	drfone_setup_full3824 (1).exe
4248	drfone_setup_full3824 (1).exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 4368	4248	drfone_setup_full3824 (1).exe	84
PID 4248 wrote to memory of 4368	4248	drfone_setup_full3824 (1).exe	84

C:\Users\Admin\AppData\Local\Temp\drfone_setup_full3824 (1).exe
"C:\Users\Admin\AppData\Local\Temp\drfone_setup_full3824 (1).exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  2⤵
  - Executes dropped EXE
  PID:4368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
496B

MD5
ce3e45790bae0f2b2a0db3f27510376c

SHA1
0674981ccea11e19ac59e23167cbb8eb4c3aed34

SHA256
56248d4c0ad2ad5cb58d7cb5e513761381f4faeaa660ca4491c673172121c802

SHA512
0f3886eb3a8bdd4e88cf986aa2769c94424dc83f98185f0c6fb5ad910ecfd0bdbe4c3b595c2af39c7b1e9a57999453bf3a080611633333bc48b53f302c1208ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
945B

MD5
03a04a36bc98b4a71529059323c087b1

SHA1
63891c961111a0a1f40a7739f5482ac05c630635

SHA256
41539b4e9669f130f7b493ac6056cb7c8a3533ab46f316fa82c41ef35ca7fc1b

SHA512
0da27fa936102a76e577ec50c6ad3deab69e505b8b3f93d145a007ba616168f810efafebb9bdc98ed83b3f8c681f9135b82ce260e33634a47aa8a2e737b9f4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
2KB

MD5
fde3457b13ac8cc85dc1ac057dff622b

SHA1
b1733c3875b2a9fc799cbd97515ec5921178cc63

SHA256
02633f2561fea0c389546fb3bc9ed4df4bc5bff80098873c459768fe06f99e18

SHA512
8b17d6505c7ca3fb734000b93d3e00fc4f08d7b7a84149c30518562177f02f87c1bbbb3747ebb106252536c921e4c30196d93c44da0213210a161b936fc14802

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
7KB

MD5
ea887c6e64aa03521d79e64d6bfa5fd1

SHA1
55f1069c8f78e9b85347ffcb140d70957ac83868

SHA256
c6e3e3664abadd803803ffdde91ed84c400e9c3cb956d378bf9ffa44e453b006

SHA512
25cf4cc0eec0834d59e9cb80d88aadcb23989e2e8f9071e3e25cf6fd07c11d89ef12396d290936e59831d64c091e2276b03603ab604c0fc9217747004e0fc0bc

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config

Filesize
229B

MD5
ad0967a0ab95aa7d71b3dc92b71b8f7a

SHA1
ed63f517e32094c07a2c5b664ed1cab412233ab5

SHA256
9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc

SHA512
85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b

Download Submit
memory/4368-1208-0x00000000009E0000-0x0000000000A04000-memory.dmp

Filesize
144KB

Download
memory/4368-1207-0x00000000000E0000-0x00000000000E8000-memory.dmp

Filesize
32KB

Download
memory/4368-1209-0x0000000000A10000-0x0000000000A28000-memory.dmp

Filesize
96KB

Download
memory/4368-1210-0x0000000000A50000-0x0000000000A70000-memory.dmp

Filesize
128KB

Download
memory/4368-1211-0x000000001B020000-0x000000001B32E000-memory.dmp

Filesize
3.1MB

Download
memory/4368-1212-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4368-1213-0x000000001B730000-0x000000001B779000-memory.dmp

Filesize
292KB

Download
memory/4368-1214-0x000000001B7F0000-0x000000001B852000-memory.dmp

Filesize
392KB

Download
memory/4368-1215-0x000000001BD30000-0x000000001C1FE000-memory.dmp

Filesize
4.8MB

Download
memory/4368-1216-0x000000001C2A0000-0x000000001C33C000-memory.dmp

Filesize
624KB

Download
memory/4368-1217-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

Filesize
32KB

Download
memory/4368-1218-0x000000001C750000-0x000000001C78E000-memory.dmp

Filesize
248KB

Download