Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 22:32
Static task
static1
Behavioral task
behavioral1
Sample
9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe
Resource
win10v2004-20240508-en
General
-
Target
9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe
-
Size
27KB
-
MD5
3262af3b3175a752b3dc89d5befd082f
-
SHA1
e21b1e0a8298ce207987bf3479d995516ffb1c4a
-
SHA256
9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788
-
SHA512
c2a167c48d803b206f5235cd61ab0f165241fe50d31f0471a117d692d7b3cd87a546ed2e03c7e6c261d0887ea77960e69ae48788cd5289c8142a1ba97a60b720
-
SSDEEP
384:MYV1Gt5M0zhIV/DZ3KZp7JcTO4yf9KFL/KaUUqd3qR+FlYTj9QTN0wpD9p5Cs:l16GVRu1yK9fMFLKaTxsujCT7pZpY
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\X: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\Q: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\O: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\M: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\K: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\P: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\L: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\H: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\E: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\Y: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\V: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\U: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\T: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\S: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\R: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\N: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\W: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\J: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\I: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\G: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Common Files\Services\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\fr-FR\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\de-DE\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\Java\jre7\lib\management\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\DVD Maker\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Windows Defender\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\rundl132.exe 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2192 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 2192 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 2192 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 2192 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 2192 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 2192 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 2192 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 2192 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 2192 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 2192 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2812 2192 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 28 PID 2192 wrote to memory of 2812 2192 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 28 PID 2192 wrote to memory of 2812 2192 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 28 PID 2192 wrote to memory of 2812 2192 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 28 PID 2812 wrote to memory of 2000 2812 net.exe 30 PID 2812 wrote to memory of 2000 2812 net.exe 30 PID 2812 wrote to memory of 2000 2812 net.exe 30 PID 2812 wrote to memory of 2000 2812 net.exe 30 PID 2192 wrote to memory of 1088 2192 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 18 PID 2192 wrote to memory of 1088 2192 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 18
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe"C:\Users\Admin\AppData\Local\Temp\9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2000
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
957KB
MD5306b6e050e9418030e0ef49db759dbfd
SHA118a24c3d62330828649d40f5c05dd1e51a0781e6
SHA25671541f32f6d9845c854ec99b894c5232960c50d010e0d6c1c1f979454d26310b
SHA5128aece85fed0ae9a5ef340e4592ffbc30e5236edd84ddeb0eeec849c08f595b90912153995be965d51248440e565310048f378d091e914a10bcdfa069cc46fa6a
-
Filesize
472KB
MD588eb1bca8c399bc3f46e99cdde2f047e
SHA155fafbceb011e1af2edced978686a90971bd95f2
SHA25642fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428
SHA512149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728
-
Filesize
8B
MD5af485d3db9f82d3e5bdc8c6d87fb742e
SHA1f879c3dbd3d34e9789ff73896508bfbeabbf7468
SHA2567a7b688ede50bbaf08d4579fbd8c6b6c99d9dd1206d95ab24d8174eb9be98759
SHA512d5fe5155948320ef6d3f80c01c9a81f0d4f60bab381d921ab2e06b62475618b973b34346bd41b40af24f2b5aff64bba68710f405f7ff21a58f369acbaaee9360