Overview

overview

8

Static

static

3

04645eefb1...bb.exe

windows7-x64

8

04645eefb1...bb.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 21:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04645eefb1ad7b96315acb36237387bb.exe

  • Size

    41KB

  • MD5

    04645eefb1ad7b96315acb36237387bb

  • SHA1

    eff7a22113d9dc1ec901e900056daf44aa418c09

  • SHA256

    210559ef8a6996297384b50d3b7a0e170ee3b24e23acd50f5a7d55252c513c6e

  • SHA512

    68552f53f65b12a40b5e8db5d8b4c1b48a61c5b25ed0864c3eeb9bce649ec98ac1dcf11b0cda4e651865db4b70cc8a0d629bfa08c517234aa0739e7485c5f798

  • SSDEEP

    768:ChILW5OyRstOCjdpChIuKiGMeHxIAbN8:ChIy5OyetOCZxuKiWHCAbN8

Score
8/10
persistence

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 7 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04645eefb1ad7b96315acb36237387bb.exe
    "C:\Users\Admin\AppData\Local\Temp\04645eefb1ad7b96315acb36237387bb.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\dek.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3936
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig
        3⤵
        • Gathers network information
        PID:2744
      • C:\Windows\Tasks\kav32.exe
        C:\Windows\Tasks\kav32.exe
        3⤵
        • Drops file in Drivers directory
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        PID:3204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    918B

    MD5

    fbfe75bd891ab82a2f89de108e132801

    SHA1

    8baa8430288717cccca5835ecd7b3844b317ac94

    SHA256

    4806dbef798205ae2d7ac187fc3c095a3201df133bf3366398dccfc467260b02

    SHA512

    da7941abb0f7bc628f7bc56b698c8ac4191d70f0c82fbf42c909daa83c40f3e51f2b6f84aef264fd9fd039e6d3dcd9fd02ee7ae055151a86ea243497f4d9ef14

    Download Submit

  • C:\Windows\Tasks\kav32.exe
    Filesize

    41KB

    MD5

    1dc4ce985376aa230e7fae40d9370131

    SHA1

    ddfff66ad84d8009e7345c067452c58581d06ba1

    SHA256

    2298b072adbcfa8551cd87c22df6ce1043056e9706cde7f4a72e27ccf7af2e1f

    SHA512

    a86d348b35d530290ad673d33b56a4f4e2279c03d33b54122b827b1a207cec665c1841956a60f67a5dbc8c8d987f1fcef211f491223f2e8d521844ac37cd7065

    Download Submit

  • C:\Windows\Tasks\pig.vbs
    Filesize

    97B

    MD5

    93511c0c00557b8222622f1b1b94490d

    SHA1

    2fffbe81f874d1941efa9b6dc7735d88179c66bc

    SHA256

    944dec2284cc789df1cd0d81dd65de6a39d5bd60be9317bdca93acd9359f16ff

    SHA512

    e0cae4aab8ed14cd1e4c2372020f50cc28f93a99719eb9973b136bb38c05cef0da0f8d994e5af5e6fa7be64bb6b7fc8afab2e980563af51db9027fb67e759aef

    Download Submit

  • C:\odt\wsock32.dll
    Filesize

    17KB

    MD5

    adae0e605a8c0ef3dcdb6cacf80c413f

    SHA1

    b0b0a2706f43fcc42a4c5d9b231ef8693e84e98a

    SHA256

    6cdc83812d65c83753678fbbe2657fa83b13befcf3956332659aaaec13f4ff46

    SHA512

    a185d966ff79cd15f03982e85cc32556ac9b10abc64f91e5b7d645bfe63775aea51a632e6c5079538a008fc74ac5260719bcfffd2437bea552f8ff91e63e8895

    Download Submit

  • \??\c:\dek.bat
    Filesize

    131B

    MD5

    2adcfc7a015e549510d43b3779b15f36

    SHA1

    e6ab4af78a332af3f27f448467b01ff84e3d43c3

    SHA256

    a44a6802a9e75c76fc66339e3a562089a32290bd4a982eb86b04be706fc6fd60

    SHA512

    4785fef3e2db29248dd8ab69b6963d6d39a783758757a878220ce140f24ad4fa8d3edac245ffa9e940c9bd40e9c9d13dcbd3ae1d7c40c57ab59fc3f14838d82c

    Download Submit