Overview

overview

8

Static

static

3

d79de6ffe8...43.exe

windows7-x64

8

d79de6ffe8...43.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    20-03-2024 01:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d79de6ffe84fe137828390a98ab88843.exe

  • Size

    14KB

  • MD5

    d79de6ffe84fe137828390a98ab88843

  • SHA1

    29eebac4fcf2a24d149208fd6e38beaef5ef21b2

  • SHA256

    4f3943397cef93c85394614c5f48ff609e69950125656a3ea5816dce0cacd0e4

  • SHA512

    6f1e313b3bab680856f0889ba793700ada7200bce32488abb4145326acded011745b30f4dcbfdc57d814ae02c69c5aa97ffb0583c068a5fd7e7eb654a3a84cfa

  • SSDEEP

    384:M3SnvnMVvllOt+f2ip1CnyR+aUOwsMVXRb8S36:QSvMVvvOt9iplsKLM3IS36

Score
8/10
persistence

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 7 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d79de6ffe84fe137828390a98ab88843.exe
    "C:\Users\Admin\AppData\Local\Temp\d79de6ffe84fe137828390a98ab88843.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\mfxixue.bat
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig
        3⤵
        • Gathers network information
        PID:2920
      • C:\Windows\Tasks\csrss.exe
        C:\Windows\Tasks\csrss.exe
        3⤵
        • Drops file in Drivers directory
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    912B

    MD5

    48ec95bacc8186d72cce11b9584faeb7

    SHA1

    0a6900de60be125b545d36a55f56bd0f7db18d32

    SHA256

    402d34fd239a2ecdc35929964d2ba2b8094fc601cee519955734994c67d3d79c

    SHA512

    42115db0a178b8ff4f80d932b1c716724f52159c9e00cab154c6b984bbc1a726947c560cf74821a49876b7d9fa491791e5a5ce5a6e3545ee6fd7c5a0bfc6873d

    Download Submit

  • C:\Windows\Tasks\csrss.exe
    Filesize

    14KB

    MD5

    7455184e29a885d6adf907ebcf071bb8

    SHA1

    efc2f3db101a774b7180ba4e51e5a365ab4d8305

    SHA256

    46226fb6b86ce7972e6ec37359742e7ebf83df2de25f51631141c31667c7e3d9

    SHA512

    26a1a9ba6fa742f8af34193c78248f1f2b89ae60c108ff335afe1ff66b2f315eceafc60e872c4a28c319ee068c5bf82ba0914dae0ef1f20cb9668fd702ce6fb8

    Download Submit

  • C:\Windows\Tasks\hackshen.vbs
    Filesize

    97B

    MD5

    a8c57eab4925bb4ad48cbabba42746e0

    SHA1

    f9fa7820051d33dadb862777fffd9714517e086d

    SHA256

    bc37a3b40be7e73055684637731ac8514e7ec9a32fd470eb73c71fd8600dba51

    SHA512

    d03022e7dee4f2121c41fa4fc236147cc79dfd8006630e6cb3ac84b1f732015fc957dd27df94fc5e28bc144b932e297f783edf009cd2b55b9fd25529f07e0ec6

    Download Submit

  • C:\Windows\Tasks\wsock32.dll
    Filesize

    15KB

    MD5

    dead113140d0686a7d7feba99e884258

    SHA1

    47289ad8994a2d7a26c8b675a8d273683fc33452

    SHA256

    4712b10f86fd235297ccf236a2321bd0e82e65f98bdb7abb30d748cb6b54a221

    SHA512

    4a71779dc868aad54d3227ef5f783bd4a5cd60e3dffeb50f8b5325b43b24b2fb92b8ce0b4b09490dd050ac7560d4c485575e5142c95f8d67ebe224b0cf9475e0

    Download Submit

  • C:\mfxixue.bat
    Filesize

    131B

    MD5

    ed8ff549660535b7c047c3478ba05dbe

    SHA1

    7e159764fd2bfe629d03a2a0b2ed37768bb0582a

    SHA256

    d81e4c08af3513d03147243a64e6058933ae18bb1b33f57aafd7c19949e3c37f

    SHA512

    4419657b6c52090baf114fbfc797bbe79ec5dafcfaf64382ffce9ec36d537b602087cbbd60ebeffe8561af2793ded42e25f760d1ae7d03e5cf74b2779e789913

    Download Submit

  • memory/1736-22-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1736-91-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1736-200-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1736-300-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1736-1088-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2912-8-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download