Overview

overview

6

Static

static

3

91994eca99...af.exe

windows7-x64

6

91994eca99...af.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2024, 10:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    91994eca993f0fbbc6bfa49b43e381f2bc9b01a02b25b486bba57a7d75044daf.exe

  • Size

    29KB

  • MD5

    68f8fd91e358f6b908a9cefc157b0faf

  • SHA1

    1067044f27b6cea929321f1012e72eccf264eda6

  • SHA256

    91994eca993f0fbbc6bfa49b43e381f2bc9b01a02b25b486bba57a7d75044daf

  • SHA512

    d5ba48a30a37a5956c9888717102586435434c05afc6fe21bf498f47de863d8e79d99cea6961cdb0a9251f25ba448eb9b7d84e794fd633518ea13a4ffff7ad9e

  • SSDEEP

    384:NbbnIPW1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOnJh:psPW16GVRu1yK9fMnJG2V9dHS8

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3332
      • C:\Users\Admin\AppData\Local\Temp\91994eca993f0fbbc6bfa49b43e381f2bc9b01a02b25b486bba57a7d75044daf.exe
        "C:\Users\Admin\AppData\Local\Temp\91994eca993f0fbbc6bfa49b43e381f2bc9b01a02b25b486bba57a7d75044daf.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:408
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:100
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3452

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
              Filesize

              247KB

              MD5

              10a764da448d5173d88d9e70117dbbe0

              SHA1

              101f14080235f58886314da850b82ff81afa7f42

              SHA256

              a097c59c907239df49e0bf0a88d815df707e1bbd1512a20798cd8b9e0ad5ffb2

              SHA512

              362e406c0218af5a7cb9cdc4c7701cead43888f9b7d7ae02cd2b023047ea846b5800dac57baeb59e6075c3981b882bdc581197f746d4e5d8c340b4ffb249b91d

              Download Submit

            • C:\Program Files\dotnet\dotnet.exe
              Filesize

              173KB

              MD5

              322ef1c3e9e107bd2548117cc533f8a2

              SHA1

              be0131e6b0ce8fc54a1f2f4af8b168e77eb658db

              SHA256

              4dcd1fd24d9694586b7a9c4d3add9216fc8a37863a8ba1cb9fb9815cee58f8eb

              SHA512

              b7f75e58de67fbf2165cf692e6c1090b74b8a99d4d53675b5e6b707ffce01dee4f59ab58d1a4eff0801347885a53786bbcc7e529f2ef07a3a133dea9812d80f3

              Download Submit

            • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
              Filesize

              639KB

              MD5

              cda7714d2ec36fbd5dfd358b3cc885ce

              SHA1

              410c57ed71630d168738f40cea3ccc65529b0ae1

              SHA256

              d2c7832ddb52cfbb750dfffae048fd9c6a9cf06a52b7de91a0be255dffadef4e

              SHA512

              89cc9f52ae02711a9f90f2ba8e6b62c8ac442b967903067e1f3c5c12ff3ca012b62b8af4e4e7c3762b4c3ee255826b509fdb064c0d2861a2c2953a02c4fc1714

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-2636447293-1148739154-93880854-1000\_desktop.ini
              Filesize

              9B

              MD5

              1368e4d784ef82633de86fa6bc6e37f9

              SHA1

              77c7384e886b27647bb4f2fd364e7947e7b6abc6

              SHA256

              57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

              SHA512

              3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

              Download Submit

            • memory/408-0-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/408-5-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/408-12-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/408-19-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/408-22-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/408-1219-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/408-4783-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/408-5228-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download