Overview

overview

7

Static

static

3

cff73c205f...19.exe

windows7-x64

7

cff73c205f...19.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 19:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe

  • Size

    3.3MB

  • MD5

    52c24fc732ae5d03dd73aea086e72ad1

  • SHA1

    4bc9ae3dfd63f593d3a18fb116e3b33975ae4447

  • SHA256

    cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619

  • SHA512

    7ce869f91bbd096067f4316f58a5ec3971d2e76e90212b645fc97c0da7d41fc5f97f6cb1819ac80643b0dbad1d1b6e62fea68a462347ee8eff1be2af213e3519

  • SSDEEP

    49152:nD1wyVu6kLS4U/DiaJ0de0r2AJisyYy20QkTu5dPkLoJjEWJ:5wv6kw/eJNHy2z+LoJjEWJ

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3508
      • C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe
        "C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4708
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2368
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6830.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2764
          • C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe
            "C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe"
            4⤵
            • Executes dropped EXE
            PID:4544
    • C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      1⤵
        PID:2096
      • C:\Windows\SysWOW64\net.exe
        net stop "Kingsoft AntiVirus Service"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2196

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        573KB

        MD5

        d1cb05708e42caa9d902f4f5ff989832

        SHA1

        a2f9ccef5a629024ec60a8162a7b032fa7793693

        SHA256

        11767b8022953dbe246baaf2b5635c659107b489f62e871a4aaf512d9279c569

        SHA512

        0077c38ec33c2cc93c78f5fbf04ca814b9b388b00b8ff1aa5669f62b4d082ece789ab869f8a173ab2063dea83f442249686732af0e368bb1d071c8f8e1ddd8cd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a6830.bat
        Filesize

        722B

        MD5

        edba20446d185ddafd3b391ab4b4b5a3

        SHA1

        dff30a7c4c232d58eafcb7d63c645e5975bb4225

        SHA256

        e87e68f706fde01e92c5b66ca5b51f09932e4cdbf32f415da814737689b7d788

        SHA512

        2a3d924796705a1d2b6144600cb5e9610fb2d6b831b83dc1ec82f05d91936d6d850e61b9fd6b558184bbf4a9d28d3d3dbdeebafbe0c90b7ca34904a5cd893c48

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe
        Filesize

        2.3MB

        MD5

        af4a4c6e00a82f800c95b3468158d842

        SHA1

        0c565ce150cf72ca709a464ce4a98f9747d0e5b2

        SHA256

        6a7ff372fb4e3fb150204e4b4b935ff2a7e51a2479c3cb075a2a31b5e24ffa74

        SHA512

        f3c1ad08b674617674e5469f26818170a7abc3c9d6dcf02669080cd1be51fd07bd93892ccd1ba08f4eddbbec5a64bc4e76501286cc1c6518390bb2e1dacd1b1c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe.exe
        Filesize

        2.9MB

        MD5

        f4514eaabb3fc8d7144d9af356dd6feb

        SHA1

        542fee5e086832c2cfa58e8dc3e22df33f1b3809

        SHA256

        c4429d26766e6d4fc3d74ae165a7aa9e012a92951d3df9509fa26a0177f1f31a

        SHA512

        3df4f4da9c88f42759b2a12e0d4e407eb836575b7c3bc81bd2269410582ed4432263511610015c8f5b70f3dd64d3509e475d60d44ad0a79e57f3572f387af2a7

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        3f8f6ddcfd8d2e131ec9ff9ff2090ca1

        SHA1

        bc69b2fbbab6fc66b5e8bd2ca7a358bc7000b44f

        SHA256

        d33385041bbdbcbf890a8f56eb6877b4ecc87d319b10944074e97df9620bd8f2

        SHA512

        3652c4658d4a200d23ce970ee61b7831f4f91a121fd3ca6a5254e1a4dfe9866ceb17ad039bc1f30289b38c270ab6bef0d096329126acb285ad4d6f0c6bdcb97c

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1815711207-1844170477-3539718864-1000\_desktop.ini
        Filesize

        10B

        MD5

        0c6beb6d4da16bbf902e01a42ff163f5

        SHA1

        aeeec783750199c10f8dd6e8aa828a44233e760b

        SHA256

        2c5a0b332a8c9449c746ee8dd0d751b77f5ff89c525609cd48a7959a9cf2e793

        SHA512

        3f4ec9bc64092ea98aee91777e052f410194ce728890df45cbeccb60c321c5547e52eaae747c8b64c4f8a9c22a04c0f20146bb7cc5826552ae23e3be8ccb7c3a

        Download Submit

      • memory/2368-9-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2368-19-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2368-26-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2368-33-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2368-37-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2368-42-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2368-727-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2368-1004-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2368-1167-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4708-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4708-12-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download