Analysis
-
max time kernel
146s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/06/2024, 07:34
Static task
static1
Behavioral task
behavioral1
Sample
fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe
Resource
win10v2004-20240226-en
General
-
Target
fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe
-
Size
26KB
-
MD5
d880c45f5fdc437b2171ca08b6fe4bd7
-
SHA1
32e2fe3f1dec04977e99f4703ec91ace6ddeb92e
-
SHA256
fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90
-
SHA512
420537ed44be11fa1364a9ade913e4e2adb5e90a8c18ad24a41159b9aefdbd246daf8f1abb562a07a44091336034a0f680bb0e444e0315b5bd853b2c6d43a9b5
-
SSDEEP
768:B1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:XfgLdQAQfcfymN
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\T: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\M: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\P: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\O: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\N: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\G: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\X: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\W: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\U: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\Q: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\K: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\E: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\Z: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\V: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\R: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\L: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\S: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\J: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\I: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\H: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Common Files\microsoft shared\EURO\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Common Files\DESIGNER\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\Windows Sidebar\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\Java\jre7\lib\jfr\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Microsoft Sync Framework\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\Windows Sidebar\it-IT\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\rundl132.exe fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2764 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 2764 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 2764 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 2764 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 2764 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 2764 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 2764 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 2764 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 2764 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 2764 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2812 2764 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 28 PID 2764 wrote to memory of 2812 2764 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 28 PID 2764 wrote to memory of 2812 2764 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 28 PID 2764 wrote to memory of 2812 2764 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 28 PID 2812 wrote to memory of 3064 2812 net.exe 30 PID 2812 wrote to memory of 3064 2812 net.exe 30 PID 2812 wrote to memory of 3064 2812 net.exe 30 PID 2812 wrote to memory of 3064 2812 net.exe 30 PID 2764 wrote to memory of 1208 2764 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 21 PID 2764 wrote to memory of 1208 2764 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe"C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:3064
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD51739f92ac794136b7b005e3a65d03e22
SHA13aff88b7c7601941cba191ce2817c3bea01b834a
SHA256e263b8c0eab9cbdf8a0fa5360727bdf6ed892097a0990e688de929195f63508f
SHA51235d8a8b579241000bd7cca8c3ec80e3a02d4ae569c08b7fcd2b9d9c028e60954678825c2b26c0efe7fe17f2f46cc00fc839b0d542100296f71201b261a69bb85
-
Filesize
570KB
MD5fa2dba38d9ef2621c476499e2d6c2059
SHA144f8276acbe2bd08af17506877a48e062f15a3e0
SHA25662ff963fc1385639976f600a4b511b390d98fac0e3c80059f17bad8740f8208c
SHA512e451a00d976d3e7b9dc88ce77baea59a4263fe124d61caa8acedaa470c69b4a5f63414f0f2f0e35d0cb77023bd513fb7a706a278bc57e9e9f9b7f8489e2286b9
-
Filesize
471KB
MD54cfdb20b04aa239d6f9e83084d5d0a77
SHA1f22863e04cc1fd4435f785993ede165bd8245ac6
SHA25630ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA51235b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86
-
Filesize
8B
MD59bf5ad0e8bbf0ba1630c244358e5c6dd
SHA125918532222a7063195beeb76980b6ec9e59e19a
SHA256551cc5b618f0fa78108dd2388d9136893adb10499e4836e9728f4e96530bf02f
SHA5127fdce76bb191d4988d92e3d97ce8db4cae1b5c1f93198bffc4e863d324d814246353200d32ea730f83345fcb7ad82213c2bcd31351e905e473d9596bc7b43ad3