Overview

overview

10

Static

static

3

9725a7de56...9d.exe

windows7-x64

10

9725a7de56...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    12/02/2024, 12:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9725a7de56c34a47d00e51699468f29d.exe

  • Size

    152KB

  • MD5

    9725a7de56c34a47d00e51699468f29d

  • SHA1

    b00a9f953fba8aa6b62d71f3b0bdbe48d5bf550d

  • SHA256

    25ae297b57bcca799f66702aecfa30265ffd285f94e4e991562d05bf18c9f7f5

  • SHA512

    29e33a27bb4e45a25bc69f8a3be63d09f7abf0f6880e867f17b9d020fc5f45a763c5cf24843ffcd6156aa3731957d680a9825ff842972eaf3ed07d43d5d1ed90

  • SSDEEP

    3072:2hi9pRE62jKEjZKgwVxx7d2xJ06o4y/QFzz9l6rhLsKH:MSEhj0gw7a0P4yYFz5srJB

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9725a7de56c34a47d00e51699468f29d.exe
    "C:\Users\Admin\AppData\Local\Temp\9725a7de56c34a47d00e51699468f29d.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Enumerates connected drives
    • Drops autorun.inf file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 560
      2⤵
      • Program crash
      PID:2620

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\autorun.inf
          Filesize

          126B

          MD5

          163e20cbccefcdd42f46e43a94173c46

          SHA1

          4c7b5048e8608e2a75799e00ecf1bbb4773279ae

          SHA256

          7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

          SHA512

          e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

          Download Submit

        • C:\zPharaoh.exe
          Filesize

          152KB

          MD5

          48fe36f75254c6374a68aaead8b3a45c

          SHA1

          6951bcf971a769cd52c877a94479909cb2e47794

          SHA256

          4d01934ac807af73e5c2a0d9cf73a172caf5945472b67dba129dcdc9030a178b

          SHA512

          e52dd4f999953accafc96c2c130ead7347819a2db9c2d7e9b5b1c697817cbdef8eab72e5028cc35e372f141fb8d5ff390e7091f8b8614c345948eeb7e5fb68a6

          Download Submit

        • F:\zPharaoh.exe
          Filesize

          152KB

          MD5

          97b604ae944eff6115502dd573800708

          SHA1

          1c70988b7903776b3c21a2e4834d89c0f88a6c8f

          SHA256

          7e24c8193109512a720b73c84a6436207df62f3f207ae373814566f3cd5c9e09

          SHA512

          b1f5fc0ec6f0da6cdf30acc5eded2df67b7e09a58c262c4995f8036802f65962b8fd17327fc601015f5aeae3dd7665f2165401287ccef0aa9a24614b8e47cab8

          Download Submit

        • memory/2264-0-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download