Overview

overview

7

Static

static

3

ec9bd2843b...e1.exe

windows7-x64

7

ec9bd2843b...e1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2024, 01:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec9bd2843b752a5359dae58470fd8b2a7460e1c887927201f8d04f405b9892e1.exe

  • Size

    122KB

  • MD5

    85c3c4132983eecc44905bfc16cd7b99

  • SHA1

    bff716a66d4c69bc50d749c0668a7ec53a03bbe0

  • SHA256

    ec9bd2843b752a5359dae58470fd8b2a7460e1c887927201f8d04f405b9892e1

  • SHA512

    6b44a330a68c1717422bfa69ecb5dcbe3d71696ed9fadde36adf3665a62dfa6cae3245db9c5980b29dbca6ca0ecb671741b304d83fb447a9ff6006464c467101

  • SSDEEP

    3072:vftffjmNoxCoFHzg2I0PpPNX6RLXWertCQyyNU:XVfjmNiZzhPpPNq6QyH

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3432
      • C:\Users\Admin\AppData\Local\Temp\ec9bd2843b752a5359dae58470fd8b2a7460e1c887927201f8d04f405b9892e1.exe
        "C:\Users\Admin\AppData\Local\Temp\ec9bd2843b752a5359dae58470fd8b2a7460e1c887927201f8d04f405b9892e1.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4672
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC861.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4496
          • C:\Users\Admin\AppData\Local\Temp\ec9bd2843b752a5359dae58470fd8b2a7460e1c887927201f8d04f405b9892e1.exe
            "C:\Users\Admin\AppData\Local\Temp\ec9bd2843b752a5359dae58470fd8b2a7460e1c887927201f8d04f405b9892e1.exe"
            4⤵
            • Executes dropped EXE
            PID:2220
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2072
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3376
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:5092

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        570KB

        MD5

        84d7664b6513487e67ff6e97c25a9577

        SHA1

        dddda4c1e13491cbc90b03c513cfa090376d1f5e

        SHA256

        bd32c2546f43a671fe5fc5557c512c8413e6289a40438b8cb0b684de1c083c04

        SHA512

        ac2d0e84afe85334a338d15ab7045ed2b37c3031886de1022dc41a45dbf8b243bc12f6c8430dd5cf16b185c2050dfbd68fe94598f212e228d5c680b0fbbe5eef

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aC861.bat
        Filesize

        722B

        MD5

        d449c57cb55e4e2ed9ab4d1c92ba0507

        SHA1

        87d82c960594478f5681aa10ef12d4be31953ce4

        SHA256

        7d0ff6ca056fceb0bbdb3d32db4a469ab557f1acd7ace45a16ac8f068966be3b

        SHA512

        717d5a89c515827b3fbb5f618f9febf28e19a1c859445a29702e69262f349fe2f9e575c652c2a31e5763573fe0c4da315fdbd603cc33772640a6ffa9d3a38005

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ec9bd2843b752a5359dae58470fd8b2a7460e1c887927201f8d04f405b9892e1.exe.exe
        Filesize

        96KB

        MD5

        4f777a9f156035ab4670da6cdcbd651c

        SHA1

        78b6f97056e6d5674bbcb94f13c4bf5527319c02

        SHA256

        77a8efbcc5e81e9534ad80aa2836105491f015d8a7355d0ba960f8fe5df3d0c8

        SHA512

        244dae23bcabfe4f7bcd10af02f24f88840fd91defd989cd39ad8a7ea4cb2829f9101e966a8d8ff95099269461afef587c7f8008437d8c23a91fee08acd33437

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        f16501dcd39f1333a1c9407f12f88067

        SHA1

        f87c876feed9062f7520ab0a1cd52f112965ed8b

        SHA256

        f33e493bfd0802bd14f44f33cd1a19ee0026d23359d6f13074715f44667cd1c1

        SHA512

        16ac93e41ba6f14a949c0725f38b72c4f248a591615a1caab90ada577e65560fca3cec78b179f08209a8967db949784e93830937b90e1fd1018cc4663452bbe9

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-996941297-2279405024-2328152752-1000\_desktop.ini
        Filesize

        9B

        MD5

        7f808734d303ae0442efdfce3344deee

        SHA1

        c814ffceeaadd0b7d41254ebf9698895924d5d42

        SHA256

        5b9baea2f17425d3edf9e446b467d55f39d41faaa8dbb351fea88b88bd20e79c

        SHA512

        b0278d3f79e4d8101351196b056c29a03102cac7fce93ba755156b1706ae505eeac237f0febff2718603707499b9ace1dc9dde225230e11c875ab55471ef4e9c

        Download Submit

      • memory/2072-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2072-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2072-26-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2072-37-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2072-42-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2072-8-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2072-1165-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2072-2328-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4672-9-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4672-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download