889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607

Analysis

max time kernel
151s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
Size

26KB
MD5

e3eb1871a00de661e94d2d4179c64daf
SHA1

65584609b0e91895e79896cf2bc314bb0793583a
SHA256

889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607
SHA512

dc1bcea3aa7cabee603ca13d540743e6d546f4e4c05047991bec1388c92769972203d107dd75abba96771b3bad45c788421d6b7346c5bdca4dee162cc49bd907
SSDEEP

768:sS71ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:safgLdQAQfcfymN

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\V:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\U:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\Q:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\O:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\N:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\M:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\I:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\H:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\W:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\T:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\S:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\R:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\X:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\E:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\K:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\G:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\Z:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\Y:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\P:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened (read-only)	\??\L:	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\Windows Mail\it-IT\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files\Java\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files (x86)\Google\Temp\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\DVD Maker\Shared\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2632	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
2632	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
2632	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
2632	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
2632	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
2632	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
2632	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
2632	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
2632	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
2632	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2096	2632	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe	28
PID 2632 wrote to memory of 2096	2632	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe	28
PID 2632 wrote to memory of 2096	2632	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe	28
PID 2632 wrote to memory of 2096	2632	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe	28
PID 2096 wrote to memory of 2556	2096	net.exe	30
PID 2096 wrote to memory of 2556	2096	net.exe	30
PID 2096 wrote to memory of 2556	2096	net.exe	30
PID 2096 wrote to memory of 2556	2096	net.exe	30
PID 2632 wrote to memory of 1260	2632	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe	21
PID 2632 wrote to memory of 1260	2632	889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe
  "C:\Users\Admin\AppData\Local\Temp\889117f4914c78ec54461c5be58a001c498928987300745eef213ebd1a892607.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
168681c876bdc301911ce24b47935282

SHA1
a8913de7eee059f1c465c56282ec2ef7a2abcc09

SHA256
41c1720cd5458ab7a50f91ab38e9a13bea2941eb09b9a248809f9fc4369976f9

SHA512
7fbb29dce92283c2d9a70f2915c6ce53c4e0668d33e0c4099d557c5ad345c186917e9459f05eb6b4b901f9bbf707f671e50f980991b39856d05d33b18aedcdcd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
956KB

MD5
9b9cfb2c321ee999ec5df797defe5b3f

SHA1
5ffb1641949933b893d1288706efb0e0f621536b

SHA256
aa21136c99a2d2d2b3220de17e8b651a5e5d8abaeaf0da8dd64ead529188bc80

SHA512
1445d3ae3a16037df160dc31a8b1327d76fe88abe6d3127915d1e5ee79eb5179e1b377e1e536afba399b1b1951d7a64ce2d30bf1a8405dc8d7ca0cc616c560e4

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\_desktop.ini

Filesize
9B

MD5
cbff752523567179ac32a14f905e1944

SHA1
446aa136e2ec27c083df7dd49d0252f1c0243bde

SHA256
eb7756d2a0d4fe754f1fe3d1d30c92a3f7ac52252b13cd171fd7ce553d760371

SHA512
9131c53463d7ce35aa85fbd70b312fdbc04c7c649fae0f6a762758e8e39ee863bdf84a6d23d1879814f69a6d4c4fe38501235c2e557b68309d560f06c18e9eff

Download Submit
memory/1260-5-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/2632-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-1825-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-3285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download