Overview

overview

6

Static

static

3

6109674a0c...7f.exe

windows7-x64

6

6109674a0c...7f.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    28/11/2023, 07:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6109674a0cf749ef17f95ebb546eb8f785a56f22cef931d131d26970dcb9767f.exe

  • Size

    29KB

  • MD5

    9661b81f24b7ea820377f79efcf39e77

  • SHA1

    3971ef24a80442913c381b077f2ca2b360178fe1

  • SHA256

    6109674a0cf749ef17f95ebb546eb8f785a56f22cef931d131d26970dcb9767f

  • SHA512

    4c527b2015527f17180d5591eb784a71bccd091ab8ef098faaf9c767231a4fbacdb540ff78a8ce015cad364b4148cdd351eadfcd4a552d33c080c1870d5de7e2

  • SSDEEP

    384:Nbbh3QU1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOnJh:pmU16GVRu1yK9fMnJG2V9dHS8

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1260
      • C:\Users\Admin\AppData\Local\Temp\6109674a0cf749ef17f95ebb546eb8f785a56f22cef931d131d26970dcb9767f.exe
        "C:\Users\Admin\AppData\Local\Temp\6109674a0cf749ef17f95ebb546eb8f785a56f22cef931d131d26970dcb9767f.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1740
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2152

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\7-Zip\7zFM.exe
        Filesize

        876KB

        MD5

        97357f7b9616195924213a55215ab075

        SHA1

        f1a292a346c027767201bb7f1f0c8bec08010e0c

        SHA256

        b4601d8e307f9bde6be8477106c89ea19c142b945a24b899c92ce300f78d44fe

        SHA512

        62dd102ebf952759414645f75bcc63db2feb71e66eaeba8e221e7399a98c67a0ee9e3601a692346ff44b507cfda6797cb397eeddf866d7c94c59e7786da20ac1

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        2faaad87f08521fcc8daee0d433d478b

        SHA1

        a75b87049a6c122b921f66cddeabb12502857a2f

        SHA256

        70546de82df8bdbcd9022e1bd74a8f50d61dd19532aeaa32a69582acda025b25

        SHA512

        1dff24a69a25f323075c8553c643c1b5bbe83a5c6d975467dabd6027ff48d0c9d0cd06ecdbf6b6a5f97a060e0353eb31898d66a9e1adcc5497e05bac06566f27

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1861898231-3446828954-4278112889-1000\_desktop.ini
        Filesize

        10B

        MD5

        4661db9bc35ff03ce317c10340aefcf0

        SHA1

        f0e79b1005d44e64f7166d071630e842aaa38b52

        SHA256

        2e37d9000ca5065fbf0811fb0284a648a61c808868310caa341a73a6a7dbe665

        SHA512

        5c3bc77c7f03b7f28b86ce8cf61f6698ac2bd7f1521af9a89bbd81f3feabbc56fd45483d157e0ceae6bcbdaefc29f5f053fd40d45d4b68ce1270c8c0dddb2269

        Download Submit

      • memory/1260-5-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2944-66-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2944-20-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2944-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2944-72-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2944-14-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2944-95-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2944-1825-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2944-3285-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2944-7-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download