Overview

overview

6

Static

static

3

95414c479b...87.exe

windows7-x64

6

95414c479b...87.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2023, 22:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe

  • Size

    29KB

  • MD5

    3872fa77fc88f5b0a37885ed0fea6a6c

  • SHA1

    c6583a3cf3d280a880c7ab3767e4dbfb5d218fa0

  • SHA256

    95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387

  • SHA512

    f20a27028c81013507f9f6c0f9bdb77bef7dc108c269bcd1e0e55fc4dfc81f491b9273a10dc93822a7ec8bf9bb3908a2b95be71402a7948d6dc1b8665b6c9d71

  • SSDEEP

    384:NbbyQ9oKLOkAx11Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzL:p6KLhAx116GVRu1yK9fMnJG2V9dHS8

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3176
      • C:\Users\Admin\AppData\Local\Temp\95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
        "C:\Users\Admin\AppData\Local\Temp\95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1616
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:696
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:872
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
        1⤵
          PID:1732
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k UnistackSvcGroup
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1152

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          254KB

          MD5

          8bfad3b639077ed274dbc563b972703b

          SHA1

          81116254c4c548e7a203a4576f39ab1179027901

          SHA256

          31d6a2fd6823012356fc104a275da46d18e7bdfbd8e71217b4e598c2596d884e

          SHA512

          6bfdaf32c1bb69fbaa8494ab94cf6a485d7e139ee79ff82268f423f57300040caba7d39a1207f9d099a2a91a8e3d845636e46d364bea898ec9ad34ace26010ed

          Download Submit

        • C:\Program Files\7-Zip\7zG.exe
          Filesize

          597KB

          MD5

          47a341bedad353e27090d4a7f1238769

          SHA1

          75558dbeb3789be5c0f98a4c47661a697b31349c

          SHA256

          a4b6a0629c04a4b46288dfe14e62a0602095aa572cf6f5d096c7e0ff6c4b3646

          SHA512

          8e8aa0f7d12de00ff049e12ce67c7ea78b30b49b17c2155ffff19c04376359f0841c16c7063ce2187ffe709516c5de214de5c9dd39ae28d453a853f9917825c2

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3027552071-446050021-1254071215-1000\_desktop.ini
          Filesize

          9B

          MD5

          0d8cc6d8ad77008e4eea5193ba074b8b

          SHA1

          ed3ef3737662f0b0d7dabb8a681fdab8882322a1

          SHA256

          02cb6e1ee5bc2475b62b35df1ff95d9d38080ea818c3fea2c65ceb449c761999

          SHA512

          8cf0f361865203a0b8ea23fb3a33827b86958c4035294db074562956d6fe213d9069f3e5687ea66284e14f4406d74d348d98eec1af10b2538acd7a302752813f

          Download Submit

        • memory/1152-59-0x0000026269240000-0x0000026269241000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1152-61-0x0000026269350000-0x0000026269351000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1152-60-0x0000026269240000-0x0000026269241000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1152-25-0x0000026260DA0000-0x0000026260DB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1152-41-0x0000026260EA0000-0x0000026260EB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1152-57-0x0000026269210000-0x0000026269211000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1616-19-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1616-23-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1616-0-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1616-64-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1616-13-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1616-1302-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1616-3827-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1616-5-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1616-4845-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download