Overview

overview

6

Static

static

3

251705bff8...7c.exe

windows7-x64

6

251705bff8...7c.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/09/2023, 22:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    251705bff81065dd9542bb01b938b1ea76b846ebbdad1255880cc7f416e89e7c.exe

  • Size

    26KB

  • MD5

    fd67facdbcb3418d53b336fa29a4ebaf

  • SHA1

    bf4130709c66654c783c758f4963bfef4a13c6e6

  • SHA256

    251705bff81065dd9542bb01b938b1ea76b846ebbdad1255880cc7f416e89e7c

  • SHA512

    90f633eb47eb22f28715bf5bf5afd71b2f7a344765f46d7eb43f3b0a8ade8aa825342f02fd8236e82280e998314f93074bde1c7b2f6ee50880afbf8b5656a189

  • SSDEEP

    768:YK1ODKAaDMG8H92RwZNQSw+IlJIJJREIOAEeF1:VfgLdQAQfhJIJ0IO61

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3180
      • C:\Users\Admin\AppData\Local\Temp\251705bff81065dd9542bb01b938b1ea76b846ebbdad1255880cc7f416e89e7c.exe
        "C:\Users\Admin\AppData\Local\Temp\251705bff81065dd9542bb01b938b1ea76b846ebbdad1255880cc7f416e89e7c.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4664
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:180

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
              Filesize

              251KB

              MD5

              fb0e55bd598718eeb4a10556052bcc0e

              SHA1

              7973070c0cfc65997f07519c93cbbec18093edfe

              SHA256

              636ac1d870c072f456e9452f3286fc44986e28f22def36784c555b51dc6c4527

              SHA512

              3304b991f3f2d058cae86f99c4cd093f2d50f5153f24e34bfb9636ca964cf6ef11cf0abdd3365d63afb36413394f9fa06f34a839e9c33d962d5c9e90b3c40a85

              Download Submit

            • C:\Program Files\Google\Chrome\Application\chrome.exe
              Filesize

              2.8MB

              MD5

              ea1c37fc590737ef8532671f228c0b64

              SHA1

              dbe498694e3d9b13f42afd063161a997f658f2b0

              SHA256

              8ea6d1afaaf15a04801d56b5068ffc2f3f390c0d648ae319112ee7c795d5c08e

              SHA512

              0ed8b710493ee7af1fd5e98f9edac82c89484947d180f7bb86f52afa904a394b48b4f16758dc2a7c5472f9df4fb5d04d9b40bc5af15a441af3c4c9d3bf1804d7

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-919254492-3979293997-764407192-1000\_desktop.ini
              Filesize

              9B

              MD5

              2c0dac5a0ee90681d41a5cbf86d94297

              SHA1

              b307129f31736ea24c948dca5581aef59a81d7e4

              SHA256

              66a0286083e73a4fc72c934ced498268654207bc94b597c7c6c7f5df5dd03877

              SHA512

              cde36e6bd833ec09b79438b98ed8c5424c12c06d7e6afdbedf7b3e97786c57cf51bf6458b958fa9ef820b884b17daad45be0901b5a16fdc276489b7ffdc67e80

              Download Submit

            • memory/1708-27-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1708-19-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1708-23-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1708-0-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1708-13-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1708-104-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1708-1264-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1708-5-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1708-4775-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1708-4806-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download