Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 21:46
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_684fda3866eb6967ede8bd784ad90680.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
VirusShare_684fda3866eb6967ede8bd784ad90680.exe
Resource
win10v2004-20240508-en
General
-
Target
VirusShare_684fda3866eb6967ede8bd784ad90680.exe
-
Size
684KB
-
MD5
684fda3866eb6967ede8bd784ad90680
-
SHA1
60531a62f6af7589949ac5d06ceb2a32665bf42f
-
SHA256
83cd26fc0f2642307179d45e3cfb8610fe2451d4d3d5abdca2521d22e35db6ca
-
SHA512
e2eb71a011d9a2cb465e21f9fabbcfb166c64b8618bad6694d82f42f8622024b71d467fcc25ef4f59bbc429a7330ac461c617ae1084e26eb644bf27b65af05bf
-
SSDEEP
12288:8frDGo0iNyUl8n+OnrwF/w64BnxgLWIBwRnEmbbFdjqWeANhYnjg51s7h:Kr6o0iNyU+ntrwFI6QnqLWIYnfbzjqmk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2680 WindowsSecurityUpdate.exe -
Loads dropped DLL 6 IoCs
pid Process 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe -
resource yara_rule behavioral1/memory/1580-1-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/2680-22-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/2680-24-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/1580-26-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/1580-30-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/1580-62-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/1580-63-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/1580-64-0x0000000000400000-0x0000000000515000-memory.dmp upx behavioral1/memory/1580-65-0x0000000000400000-0x0000000000515000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\SD2014 = "C:\\Users\\Admin\\AppData\\Roaming\\9iDEKdVR\\9iDEKdVR.exe" VirusShare_684fda3866eb6967ede8bd784ad90680.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1580 wrote to memory of 2680 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 28 PID 1580 wrote to memory of 2680 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 28 PID 1580 wrote to memory of 2680 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 28 PID 1580 wrote to memory of 2680 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 28 PID 1580 wrote to memory of 2680 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 28 PID 1580 wrote to memory of 2680 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 28 PID 1580 wrote to memory of 2680 1580 VirusShare_684fda3866eb6967ede8bd784ad90680.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_684fda3866eb6967ede8bd784ad90680.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_684fda3866eb6967ede8bd784ad90680.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Roaming\9iDEKdVR\WindowsSecurityUpdate.exe"C:\Users\Admin\AppData\Roaming\9iDEKdVR\WindowsSecurityUpdate.exe" -services2⤵
- Executes dropped EXE
PID:2680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112B
MD5d201abad2d2dca1ccd401e4419421267
SHA1773e9bc9f8adc19db7bf4cb45e66765a2c0da0d8
SHA25685a638446470746e8b6329fa052c8e3a9e3e53ba6e800228498f524778d5fb5a
SHA51275c585d579b4cef4d0f124f2d6eb01482747a591f5ea708f53d717fc810c9c830519dc0742d26f523f4214ca791e1b5c200b45a1654f6bd044b0b4e1f9a11856
-
Filesize
684KB
MD5684fda3866eb6967ede8bd784ad90680
SHA160531a62f6af7589949ac5d06ceb2a32665bf42f
SHA25683cd26fc0f2642307179d45e3cfb8610fe2451d4d3d5abdca2521d22e35db6ca
SHA512e2eb71a011d9a2cb465e21f9fabbcfb166c64b8618bad6694d82f42f8622024b71d467fcc25ef4f59bbc429a7330ac461c617ae1084e26eb644bf27b65af05bf