987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
Size

66KB
MD5

e13b4f85d7a1be04b99aff76d36e62d3
SHA1

6787ace84a0c4df2738fb2da7509f862c6a24fae
SHA256

987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f
SHA512

a27a1b088871aafd6d4f73285ee70c2585c5675761d12a2b35b91b72e8df4ec76a523be7f20d56dbaa51e9527d0890c639f1a69375ce2c08c0c1f449da877902
SSDEEP

768:bKSjMqQeL2QTLqhhg/qUjdD0tB18hGKPvAbhp8J+j05PoWCyZqlSmQBUjYQ:xjMqxL2Q3qOLjp01Y06JdOGZqlSmQBQ

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\W:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\O:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\X:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\P:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\N:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\L:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\J:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\I:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\H:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\Z:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\U:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\T:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\R:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\M:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\K:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\V:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\S:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\Q:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\G:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened (read-only)	\??\E:	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{6AA169C9-EC13-4792-9A6F-B1B56AF54223}\chrome_installer.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\MicrosoftEdgeUpdateSetup_X86_1.3.185.29.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmprph.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{44E057DB-B549-4AA9-8028-5ED0B58CCFED}\MicrosoftEdgeUpdateSetup_X86_1.3.185.29.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 3664	5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe	85
PID 5068 wrote to memory of 3664	5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe	85
PID 5068 wrote to memory of 3664	5068	987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe	85
PID 3664 wrote to memory of 3236	3664	net.exe	87
PID 3664 wrote to memory of 3236	3664	net.exe	87
PID 3664 wrote to memory of 3236	3664	net.exe	87

C:\Users\Admin\AppData\Local\Temp\987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe
"C:\Users\Admin\AppData\Local\Temp\987887182fd5ba7c2220a086762016de554dbedab9862a8e44502b5300dcac4f.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\net.exe
  net stop "Kingsoft AntiVirus Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
    3⤵
    PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\dotnet\dotnet.exe

Filesize
209KB

MD5
3cfa0fcb2b1d93a9434b6787fe7675be

SHA1
fbab6843722f549a5a3c5d3374d98127193b96e5

SHA256
257c05259a1af71b48e348931cb3460fbfb713bcea49452739d310c7dae1676b

SHA512
f97d83c90d6d0390edc83a82bf9d4e2877da463dbb8d8c9d122feddf7a10e1a809466776e8da930908fe575b367a777a5583b55791495528c24fcf4fb529b8dc

Download Submit
memory/5068-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5068-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5068-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5068-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5068-130-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5068-196-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5068-208-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download