Overview

overview

6

Static

static

3

d41706d5ba...12.exe

windows7-x64

6

d41706d5ba...12.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230824-en
  • resource tags

    arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2023, 08:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d41706d5baa47b2e0ac2e901106411f092d704668498e75c5819da0069b24012.exe

  • Size

    29KB

  • MD5

    b1a515735de819d35a407e5a134a528c

  • SHA1

    f4ed54971045aabb7e9345e3c3a93b335e2fd719

  • SHA256

    d41706d5baa47b2e0ac2e901106411f092d704668498e75c5819da0069b24012

  • SHA512

    5c5190cc87be23ccef165d66df6392e80b010cf4909cab8a8c7456eb2cc54d000d3cc8c287843999b59ffcdddade3362c00e6c13a110c04b9d7c60e8ba3bdc5d

  • SSDEEP

    384:NbbP1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOnJh:pL16GVRu1yK9fMnJG2V9dHS8

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1328
      • C:\Users\Admin\AppData\Local\Temp\d41706d5baa47b2e0ac2e901106411f092d704668498e75c5819da0069b24012.exe
        "C:\Users\Admin\AppData\Local\Temp\d41706d5baa47b2e0ac2e901106411f092d704668498e75c5819da0069b24012.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2200
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1944

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        cd56a8930bdb4ea6727306f6d74a2f1f

        SHA1

        2a00734778b729723fdd2e5824173b5fb7542e84

        SHA256

        cfab0105fa605a5dce73f9fe7e8746a6bb5e541e883f31019b2b3152ef242f42

        SHA512

        8223902010a7e557da6432e0133feb7a4c342330dc421763746ff347762b89127a0b8d0ec1c342539078667eed011e94459d54ebe5b0a124486691acb9cc9439

        Download Submit

      • C:\Program Files\7-Zip\7zFM.exe
        Filesize

        876KB

        MD5

        b290d9f79f525fb3948a17d3b4459818

        SHA1

        e1afcc226eeb830e6c6e60877cb87747adf83350

        SHA256

        408bc80c28309189369e730d5ac387680a411b4c973fe1f8791bd6a0ba02fd61

        SHA512

        625c111ae9c4072d289d5f4177702ded262cca196fdf6b1ae9b4a88cee54c36c3391dd5aa8834f629fafd22b50364e7c82662278d92430e3c9a052e58b94b0db

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1528014236-771305907-3973026625-1000\_desktop.ini
        Filesize

        9B

        MD5

        2326d479b287193a70f520700dc8d23e

        SHA1

        afea66d3788a50debd6f5d4c9dd51f68a4477e64

        SHA256

        95d41561a1467d20977f59108e85da181e0b4dfd3db9e40182ae7378c4a927f8

        SHA512

        cb971c406ddf7147536a6a1569d4ff49d7219aa52cde5d110be1109874d66daace832d423d7969af9e6bbc9738a65734c7e68e994591b7677aad51fa0f52cf37

        Download Submit

      • memory/1328-5-0x00000000026B0000-0x00000000026B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1708-67-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1708-21-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1708-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1708-73-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1708-15-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1708-1047-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1708-1826-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1708-7-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1708-3022-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download