Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2023 08:09

General

  • Target

    057b872ff99ac74d06c69d68bc60cfe8c3842d858e79fa7aaf6e52b62e945477.exe

  • Size

    29KB

  • MD5

    0a4ec07af6ee0de7e8639ccfc1e0a98b

  • SHA1

    c3f8a375dc91e1436f5da51fc529535ff616103c

  • SHA256

    057b872ff99ac74d06c69d68bc60cfe8c3842d858e79fa7aaf6e52b62e945477

  • SHA512

    dcb37d95aae4c7541058ef68ac0c3931b67a3fe61bbe569a6ff0ab87754760b5720c3df6d2dad6c5e627eaa50e268c066a20bbdb11123d3965c17cc650f45ae0

  • SSDEEP

    384:NbbNMWe1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOnJh:pZne16GVRu1yK9fMnJG2V9dHS8

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1268
      • C:\Users\Admin\AppData\Local\Temp\057b872ff99ac74d06c69d68bc60cfe8c3842d858e79fa7aaf6e52b62e945477.exe
        "C:\Users\Admin\AppData\Local\Temp\057b872ff99ac74d06c69d68bc60cfe8c3842d858e79fa7aaf6e52b62e945477.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2300
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2648

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

        Filesize

        254KB

        MD5

        81b366cea7b26125940709a0f5e7d254

        SHA1

        6e03a61b1a9486e275754a58f5927ee2168d12aa

        SHA256

        790683ff65c5feabb356270eb6df40bf11d1f9d077383695d2beefefc925a0ad

        SHA512

        a48c74c21e439233ab92bf16c6a1207bb76aeaa0d1e89a939e2539f44902fde3d39a1b3589982566b5f2713a250493e10e0a2ccc74ead91f6a86e6106f8b472f

      • C:\Program Files\7-Zip\7zFM.exe

        Filesize

        876KB

        MD5

        bbfdb6e0303de4073ee178eed44bfb68

        SHA1

        3b6385bf5e82dc00da52f37c2bb323cd21aa47ec

        SHA256

        f7014623f69ead554173c57cbf39abcc2e8cc9ced72ed8bda96dd8895e72acd9

        SHA512

        e68705b045ea33c7fd078d615a9d70fca06db5bdd4809cfc5130e6ed088daf185d6f7f4353ddc1fca10cd68da39b6cba3714acd9de9515240447487344e00833

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

        Filesize

        474KB

        MD5

        11ec6a48c2716a484036c562cb7c3e25

        SHA1

        960285a49f0460fa9d4c52858d227a258b9eabab

        SHA256

        a1d41d048c92ff4215df3312a6a1a256813248ae5406d9a0ad270716f0f59913

        SHA512

        b43dac91f70b329d4dd6bb97684a6176cc23d2bd8dcbc7fbddbb0e412d39e4289c65d80d7082d30f626a15238162330290d518a8c1a7b523e1f1863bcfd5f32a

      • F:\$RECYCLE.BIN\S-1-5-21-86725733-3001458681-3405935542-1000\_desktop.ini

        Filesize

        10B

        MD5

        a2f55d4dd0965430ceab2e112f7ee0a8

        SHA1

        d5e114f97985141a73b1e325728e5fd21e432f60

        SHA256

        f905d8a1cc369898067bdb4538843b91eb17d0d84032e2b5766ef438e25f807f

        SHA512

        8bce44ff59da58c0f9a3fdec7edb997a6781cd8f6aa4bc8ef0945c0a4dcde1db93092b88d2e114cd29d58931265b2aa1055dab677716cf75f1482faaa4c9bcdc

      • memory/1268-5-0x0000000001D30000-0x0000000001D31000-memory.dmp

        Filesize

        4KB

      • memory/2808-16-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2808-22-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2808-68-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2808-75-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2808-80-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2808-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2808-1827-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2808-9-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2808-3287-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB