84273f2eaea783db7b16436f1a64b832d89f3be62870948c8f367ef67a79809e

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30c132eb08e887792ab649c797362643.exe
Size

42KB
MD5

30c132eb08e887792ab649c797362643
SHA1

0d8c218a3a3e203519bacd3aa8fc67b4244d7ca6
SHA256

84273f2eaea783db7b16436f1a64b832d89f3be62870948c8f367ef67a79809e
SHA512

a342470f8cbebbf3e965d126446c5f95734564f45e10803651cf1a966bbcc5dc10be3e7b696547ef771f4fb4f0953d3385a4071a79cb0f8f310171e1ca7de4c1
SSDEEP

768:AEENWxmcnc8uK8fToRaqIjTH4uB8wP9BgUMDVStJFwwSkEZJa:HEN2myxu9Toh8cDVmq7kEZM

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\Q:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\U:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\N:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\K:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\J:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\I:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\H:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\E:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\W:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\Y:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\X:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\V:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\T:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\O:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\M:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\L:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\Z:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\R:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\P:	30c132eb08e887792ab649c797362643.exe
File opened (read-only)	\??\S:	30c132eb08e887792ab649c797362643.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\7-Zip\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\de-DE\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\Google\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\en-US\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\es-ES\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\7-Zip\Lang\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\Google\Chrome\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\it-IT\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\fr-FR\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini	30c132eb08e887792ab649c797362643.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\_desktop.ini	30c132eb08e887792ab649c797362643.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	30c132eb08e887792ab649c797362643.exe
File created	C:\Windows\Dll.dll	30c132eb08e887792ab649c797362643.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2880	2372	WerFault.exe	16

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe
2372	30c132eb08e887792ab649c797362643.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2312	2372	30c132eb08e887792ab649c797362643.exe	28
PID 2372 wrote to memory of 2312	2372	30c132eb08e887792ab649c797362643.exe	28
PID 2372 wrote to memory of 2312	2372	30c132eb08e887792ab649c797362643.exe	28
PID 2372 wrote to memory of 2312	2372	30c132eb08e887792ab649c797362643.exe	28
PID 2312 wrote to memory of 2132	2312	net.exe	30
PID 2312 wrote to memory of 2132	2312	net.exe	30
PID 2312 wrote to memory of 2132	2312	net.exe	30
PID 2312 wrote to memory of 2132	2312	net.exe	30
PID 2372 wrote to memory of 1260	2372	30c132eb08e887792ab649c797362643.exe	6
PID 2372 wrote to memory of 1260	2372	30c132eb08e887792ab649c797362643.exe	6
PID 2372 wrote to memory of 2880	2372	30c132eb08e887792ab649c797362643.exe	31
PID 2372 wrote to memory of 2880	2372	30c132eb08e887792ab649c797362643.exe	31
PID 2372 wrote to memory of 2880	2372	30c132eb08e887792ab649c797362643.exe	31
PID 2372 wrote to memory of 2880	2372	30c132eb08e887792ab649c797362643.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\30c132eb08e887792ab649c797362643.exe
  "C:\Users\Admin\AppData\Local\Temp\30c132eb08e887792ab649c797362643.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 476
    3⤵
    - Program crash
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

F:\$RECYCLE.BIN\S-1-5-21-2444714103-3190537498-3629098939-1000\_desktop.ini

Filesize
10B

MD5
dac5fda49398490d5c087360437ceda2

SHA1
93f612913565101624fc7a13c7e7d932bbc1a922

SHA256
803ca38dd859bfb259b80410b8adea5e7b38a655bc999501843102affc8ce9c5

SHA512
39315941c3f5f4fddfdaccd31758281415474d9f51b756f256473b1d343740fd98e7e339ede6db57765566d68da1009c8eddc4d67e59a47ed8f746ee94dea581

Download Submit
memory/1260-5-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/2372-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2372-136-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download