Overview

overview

7

Static

static

3

bf071c8609...4f.exe

windows7-x64

7

bf071c8609...4f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2024, 14:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bf071c8609802f65261675176e2ce580c6252d4b4e8afa079c454ea93a1e7b4f.exe

  • Size

    262KB

  • MD5

    bfa95e9513b0a4f93af568c83e27b54a

  • SHA1

    47a95d0b08e6ef79d99ffc6d5fa7e16c8cd4317c

  • SHA256

    bf071c8609802f65261675176e2ce580c6252d4b4e8afa079c454ea93a1e7b4f

  • SHA512

    475b2b4621647b7434c027c2c845aef6bf1be21aacec4e7baa0e04b47ad333520e0680a648a6203721208d78c147d2336ba4d376b89a05810ab76ed570b56c82

  • SSDEEP

    3072:q6VOv+Kq7XVLRkgUA1nQZwFGVO4Mqg+WDY:bKq7FLRp1nQ4QLd

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Program crash 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3448
      • C:\Users\Admin\AppData\Local\Temp\bf071c8609802f65261675176e2ce580c6252d4b4e8afa079c454ea93a1e7b4f.exe
        "C:\Users\Admin\AppData\Local\Temp\bf071c8609802f65261675176e2ce580c6252d4b4e8afa079c454ea93a1e7b4f.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a69B6.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3316
          • C:\Users\Admin\AppData\Local\Temp\bf071c8609802f65261675176e2ce580c6252d4b4e8afa079c454ea93a1e7b4f.exe
            "C:\Users\Admin\AppData\Local\Temp\bf071c8609802f65261675176e2ce580c6252d4b4e8afa079c454ea93a1e7b4f.exe"
            4⤵
            • Executes dropped EXE
            PID:2852
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3660
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2728
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:692
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 788
              4⤵
              • Program crash
              PID:1972
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3660 -ip 3660
        1⤵
          PID:3456

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\$$a69B6.bat
                Filesize

                722B

                MD5

                db82ebe7e8d3aa4c18238ce4cca5dd17

                SHA1

                78d1b820bc3cc712ed6bf53a4464143a64f934fe

                SHA256

                cd324e09877c9b952fa419a68949d37384a332ab7ef02b8c575244a919826c38

                SHA512

                bb136f779cfa0ebaeff155a4bcf0621f47fb0ff0dfda07437bff9c4b74f06b9c1633d438cada7cca2d0000fe23ceaa75391a6a2e0bf1932772bfa5d6d74731e7

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\bf071c8609802f65261675176e2ce580c6252d4b4e8afa079c454ea93a1e7b4f.exe.exe
                Filesize

                231KB

                MD5

                6f581a41167d2d484fcba20e6fc3c39a

                SHA1

                d48de48d24101b9baaa24f674066577e38e6b75c

                SHA256

                3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

                SHA512

                e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

                Download Submit

              • C:\Windows\Logo1_.exe
                Filesize

                31KB

                MD5

                31c40ad002aec19c96432c3718cc2094

                SHA1

                8976214f3a06ef71424ea2bd68cf2eda92a2055a

                SHA256

                612fde4b588fec65c70481c238f089ab4d1ed5237976dbd807f79c50d3149cf4

                SHA512

                5c03fabcbd8864bcecd6203db9f0c3c5f7f9ad0fa217fb9d61b8beaacfe3a5ab6ffb54cc6764bff152c42f83688d9f860cd7177eb2abe1212e7e3cd26d9b703e

                Download Submit

              • F:\$RECYCLE.BIN\S-1-5-21-1132431369-515282257-1998160155-1000\_desktop.ini
                Filesize

                9B

                MD5

                27729a3995958245e2d6799df42e26e7

                SHA1

                dfe386f53277c8387b50122f3fda9bc2467815ba

                SHA256

                9313041e89d4585b2606afa4809b101e7e8a2c944d063a28c796b0c0f070b5f1

                SHA512

                ba9157cea7ca5c01b52e2a4a758f4e12e018990e49f1ece5fa6d83423f37a0a4dd5246d9b01e5e212d5e8c36a66a8d0e2645bc73753671295965a855a5028ec6

                Download Submit

              • memory/2000-0-0x0000000000400000-0x000000000043B000-memory.dmp

                Filesize

                236KB

                Download

              • memory/2000-12-0x0000000000400000-0x000000000043B000-memory.dmp

                Filesize

                236KB

                Download

              • memory/3660-9-0x0000000000400000-0x000000000043B000-memory.dmp

                Filesize

                236KB

                Download

              • memory/3660-161-0x0000000000400000-0x000000000043B000-memory.dmp

                Filesize

                236KB

                Download