Overview

overview

8

Static

static

3

drweb-12.0-ss-win.exe

windows11-21h2-x64

8

drweb-12.0-ss-win.exe

macos-10.15-amd64

4

Analysis

  • max time kernel
    109s
  • max time network
    133s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26-04-2024 16:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    drweb-12.0-ss-win.exe

  • Size

    518.6MB

  • MD5

    1905b39af730825e5134cb4c74bed750

  • SHA1

    cd9029b51ebc2d9d212a54a566e9e9e0532491c6

  • SHA256

    0ca351264a405216e41474e8cf7dd7651648512924574470241589785dc87db4

  • SHA512

    890e889fecaab716c745944f727d3688797c747579902ac0514055db96d9ba9d502683d07b32b5eabb69523a9ff951580ef0e438e3ab39edb7b162792a343adc

  • SSDEEP

    12582912:ZQ1iM4XyvaTjKBZi8tuq4m2BcA5uG5UEtEH7iE+i:Z8ctKLi8EhVBHIG+Mte

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\drweb-12.0-ss-win.exe
    "C:\Users\Admin\AppData\Local\Temp\drweb-12.0-ss-win.exe"
    1⤵
    • Sets service image path in registry
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Users\Admin\AppData\Local\Temp\A426A9D8-890C3A0C-D7CA4C40-DDFCED3C\win-space-setup.exe
      "C:\Users\Admin\AppData\Local\Temp\A426A9D8-890C3A0C-D7CA4C40-DDFCED3C\win-space-setup.exe" /distribpath "C:\Users\Admin\AppData\Local\Temp\drweb-12.0-ss-win.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:4892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Doctor Web\Logs\distrib-starter.log
    Filesize

    3KB

    MD5

    eca5b06849b350250980249b7bc54233

    SHA1

    853d5f87909080a3409f611783b21929d2ff37ae

    SHA256

    b88bfe7d2a32360ccba2fb96bf4cec3af4f2e945ddd2f14b742b3d6ecbca462a

    SHA512

    a132d8395acd5dc0dbb081e7c39e2d80ab5a1eebc6529666fe83ec5356d12f14f7da1566a06ebb335fe9a412af5cebfd1c86426cdd2b312d373e867fb9e26624

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A426A9D8-890C3A0C-D7CA4C40-DDFCED3C\win-space-setup.exe
    Filesize

    12.4MB

    MD5

    b5c16081f600e191daf634f3be96da93

    SHA1

    020acb870a6e465980b67ce8cb066913b32267ac

    SHA256

    b2749df3b0672acb02e8fc1e96849c37edf0fe0e90cca3ce985f14c96abc5537

    SHA512

    ec58401b2162e2dda3fdc461fbef6256af25ebfcfe7460df9ef71500f4dacd844cf383203f12d9b87afa61d2c5537999b7dcdd5419d074bc14be0476c6a98c22

    Download Submit