Overview

overview

6

Static

static

3

2d9faa2c88...9d.exe

windows7-x64

6

2d9faa2c88...9d.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2024, 08:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d9faa2c88af94ed65a0c8dd8657af7f0c0fc3073c037094a36df8dc5b956f9d.exe

  • Size

    29KB

  • MD5

    c2714eeb0a075a663048727a1626345e

  • SHA1

    78ac209416bd20b0c01049ffa07529d6eda0858b

  • SHA256

    2d9faa2c88af94ed65a0c8dd8657af7f0c0fc3073c037094a36df8dc5b956f9d

  • SHA512

    c4204f2a53da4f82270f92f1a6852ac32cca8b4ee8f4953639d4bddacaa7919734fc775bcdd07a8a0b518e4ac5cd9c9979edb2e889e61614782e7d9fef04f19e

  • SSDEEP

    384:Nbb3yc3QU1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOnJh:p2U16GVRu1yK9fMnJG2V9dHS8

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\2d9faa2c88af94ed65a0c8dd8657af7f0c0fc3073c037094a36df8dc5b956f9d.exe
        "C:\Users\Admin\AppData\Local\Temp\2d9faa2c88af94ed65a0c8dd8657af7f0c0fc3073c037094a36df8dc5b956f9d.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1048
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2516

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        bda8eee3b345c1f21b74cbd88cd64f64

        SHA1

        45bf87c341cc5801adb6be803f4c9b8fede6be01

        SHA256

        2dbcc6a6e407885c514d167b5853ac2bde21a05edeb0a1d44fffd9883ff415c3

        SHA512

        55064667b6a153874ecd5e32711acc38bb76466be4fa5a2d77907c976065ab06e8313a5accbe84aa7026a641b7b2bbbc784f1a67d7bc351941b28c8092692f2a

        Download Submit

      • C:\Program Files\7-Zip\7zFM.exe
        Filesize

        613KB

        MD5

        0813cc2f5c914aa4267849c5a22f4ad5

        SHA1

        1163142b7bc3e6850ccbc60c20b4d4510f94f945

        SHA256

        f1202543ea22728d71e4fd4d109d6167be5c4eb12863cf32322aacf3c6a7509b

        SHA512

        479b16e16a76c2be9704b9fb858149f8a387b52eafec4f3735a4283d519d4dfbf5302770d190eb2a84e28b48c4e66cd6de81c51e7cd540ee8839c14b824ab4bf

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        9KB

        MD5

        19d64bdc527a23266363d299f69ca8e8

        SHA1

        43916b5c6f9096a7e1a9ec4586d248fabdba2312

        SHA256

        a4cae5a390f321d92c7e9409d186ecec37770b2bd8b02e0143809fb334cc3d6d

        SHA512

        9285277610c64a1d8333071bfe7a713571835fd59fc0abf3e924d26616d105bee320ad11babff44623de2e257266a1755dab28d02897ada8bdf1199d357194da

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3601492379-692465709-652514833-1000\_desktop.ini
        Filesize

        9B

        MD5

        7f808734d303ae0442efdfce3344deee

        SHA1

        c814ffceeaadd0b7d41254ebf9698895924d5d42

        SHA256

        5b9baea2f17425d3edf9e446b467d55f39d41faaa8dbb351fea88b88bd20e79c

        SHA512

        b0278d3f79e4d8101351196b056c29a03102cac7fce93ba755156b1706ae505eeac237f0febff2718603707499b9ace1dc9dde225230e11c875ab55471ef4e9c

        Download Submit

      • memory/1200-5-0x0000000003060000-0x0000000003061000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-66-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2108-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2108-72-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2108-20-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2108-619-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2108-1825-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2108-14-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2108-2345-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2108-3285-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2108-7-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download