Overview

overview

6

Static

static

3

a5954e7b06...b9.exe

windows7-x64

6

a5954e7b06...b9.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30/04/2024, 23:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe

  • Size

    29KB

  • MD5

    f600d3b05604eed2eb0e978ecaec3752

  • SHA1

    c7e79069cd2c171d732cf22ad3c471200b8261a8

  • SHA256

    a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9

  • SHA512

    81fbc800450084e269e715130f3097c432ced7dcffaafffcc3c9b7f42fabc8ac24bc4b2d12f36cc84a1427335abc728fb53f648bb0e874ba582f87e73d56ff51

  • SSDEEP

    384:NbbbKDvJ3IZrJY1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzL:pGJYZ+16GVRu1yK9fMnJG2V9dHS8

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1380
      • C:\Users\Admin\AppData\Local\Temp\a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
        "C:\Users\Admin\AppData\Local\Temp\a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2408
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1704
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2340

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
              Filesize

              254KB

              MD5

              f432d1f83593308d844634cd59fc919f

              SHA1

              f8a1d3fb03083b9efd3a0327993b95b4ebdefdf1

              SHA256

              f151d9509315c51577bf1e04c879680168de53daee04af9a087b11ffc1a8a704

              SHA512

              84e52bceb34de199db9348de7b11ae1874cd582ab2c46880a90b32ed2f35ff7a7a5023917f9d473235eae3279a0e5687ac849d87cc14124eb970adb3e688c1e8

              Download Submit

            • C:\Program Files\7-Zip\7zFM.exe
              Filesize

              876KB

              MD5

              24c9700fd80b2692ea90abfa82b3a745

              SHA1

              50274f0c50360b095647bcf37cf94f4a9db079f4

              SHA256

              825489ed41ebd96904940b9315ab00c001aec4248a5aa477a276b3988d2cf97b

              SHA512

              b1dc5a231ea40019b67a2955ea656f16961d25e891e1deb443cdbfa1f61a5e8eba51bba229fa7626a27d6087c55eedc68a2284506b94bfbb3c2abf6fe1c6634d

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini
              Filesize

              9B

              MD5

              3441ca64b7a268fd1abb0c149aa9e827

              SHA1

              977a6be7624a5ff4ea1de4f422b44b4974c17827

              SHA256

              fafa54a384b4b9bfe970b0e803afe0c0284021acca503892961170d49985dd99

              SHA512

              84d8adce555267049d33544c4402eaa9bb3ff2022fd76cd619e4cb1fd544c5825cd7769065dd525b58e3befd579d3dd11ec2e0032907ff7dd36f83975b5b5848

              Download Submit

            • memory/1380-5-0x0000000002A50000-0x0000000002A51000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2408-66-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2408-20-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2408-0-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2408-72-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2408-14-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2408-545-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2408-1825-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2408-2044-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2408-7-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2408-3285-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download