Overview

overview

9

Static

static

3

89e77fbc40...8b.exe

windows7-x64

3

89e77fbc40...8b.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2024, 15:42

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    89e77fbc40fbec8634e14735b73e1e8b.exe

  • Size

    83KB

  • MD5

    89e77fbc40fbec8634e14735b73e1e8b

  • SHA1

    833244644c24a547a9ffbd97f03f95d55596545d

  • SHA256

    13d6b68b492666ff031247eb3643f299c530455b5547e31b5d4525ede113038d

  • SHA512

    75d000ef3f07872e7953617f1951a92e0436291a4521581518b7538be2465b582dc530ae8c28c059d864495aacaab462f8ef46a72d6ca1c89c3493d0b57fa120

  • SSDEEP

    1536:hy+53F5HIbVSo2Zm7c660mowS/Ia20GCwkeX7OvHLDUujVT:4+5V5oYo2E7h6bBSQaLwkeXSPbVT

Score
9/10
persistenceransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (219) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3392
      • C:\Users\Admin\AppData\Local\Temp\89e77fbc40fbec8634e14735b73e1e8b.exe
        "C:\Users\Admin\AppData\Local\Temp\89e77fbc40fbec8634e14735b73e1e8b.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1868
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:540
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2384
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4E20.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4656
            • C:\Users\Admin\AppData\Local\Temp\89e77fbc40fbec8634e14735b73e1e8b.exe
              "C:\Users\Admin\AppData\Local\Temp\89e77fbc40fbec8634e14735b73e1e8b.exe"
              4⤵
              • Executes dropped EXE
              PID:4224
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Adds Run key to start application
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2356
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4316
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3160
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2776
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4312

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\$$a4E20.bat
                  Filesize

                  530B

                  MD5

                  4be388172844dfc31d2a93128e23c629

                  SHA1

                  1cdd7f45738049be3a19b0c1a46f1b406b78197e

                  SHA256

                  6938948c2923c02a98015f43d6738e8d7e470c0a7fb3c8307f66e91d82f8a887

                  SHA512

                  d7182e94f937ec4062c64635ed290b31a81a98e2f6e6bad879a101c1e90ec6523210bddb5d5c6b95175075b4922ce1468660690f992a56bfb7864dccd6e51053

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\89e77fbc40fbec8634e14735b73e1e8b.exe.exe
                  Filesize

                  25KB

                  MD5

                  c8c5c606e079c7243d2eb6548265b07a

                  SHA1

                  ef558f7b7b6a6b0ad35974981673b6da7b63bb91

                  SHA256

                  81c5476c22df9cfd35b62aab5f4f66e5fcafc0433a0b96192af8e0a304102af1

                  SHA512

                  e30936a1e2de671d29c8b1cf65ad8297d657debc478f3b9ee21c66914c7a53eb65426064036c3edd2af4c722519db5894b78c629248612d42a3121a9b1fa3d88

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  58KB

                  MD5

                  6b9949f677c1e6d2d130b866c0a928f6

                  SHA1

                  41ac679bacca058b8d8ff786cd049b9080357ff7

                  SHA256

                  aebcc2eb391e36ef85d868be6293ff5c6d5b5c65b9e370fe21c8ed779165256c

                  SHA512

                  f8fb960011e45dbf236bd482ef03823d5ecce9ab2748ae5314305ff8bc19b61d7bd9f656304c6ac1a506b139fe2f34207eac930e0ac074ca32a8fbe1ae360def

                  Download Submit

                • C:\Windows\system32\drivers\etc\hosts
                  Filesize

                  842B

                  MD5

                  6f4adf207ef402d9ef40c6aa52ffd245

                  SHA1

                  4b05b495619c643f02e278dede8f5b1392555a57

                  SHA256

                  d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

                  SHA512

                  a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

                  Download Submit

                • memory/1868-0-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/1868-1-0x0000000000440000-0x0000000000480000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/1868-10-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2356-12-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2356-16-0x0000000000440000-0x0000000000480000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2356-21-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2356-22-0x0000000000440000-0x0000000000480000-memory.dmp

                  Filesize

                  256KB

                  Download