Overview

overview

9

Static

static

3

722755f8ab...cN.exe

windows7-x64

3

722755f8ab...cN.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 03:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    722755f8abadd964f9c03a81d077aff16089c1a65f57dae422337a4d1e0e2e2cN.exe

  • Size

    126KB

  • MD5

    9bc7214c2c76b6100cbe12752071af80

  • SHA1

    93ac430e6ff1b3323764a0b8b29d2433a6e49fe2

  • SHA256

    722755f8abadd964f9c03a81d077aff16089c1a65f57dae422337a4d1e0e2e2c

  • SHA512

    d90f3566047b73785e591f679b5aa9ee145a393e9e38043a81ab171754d4639ada23b16e51f88e285c8f671139a233cc4027bbda967c92de1c894b3ce43ff151

  • SSDEEP

    3072:BcB9Tqfe9e+X4gKrKX6/QRLKgrlSmN11q:BcjxI+X4VWmQRe7

Score
9/10
discoverypersistenceransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (216) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3432
      • C:\Users\Admin\AppData\Local\Temp\722755f8abadd964f9c03a81d077aff16089c1a65f57dae422337a4d1e0e2e2cN.exe
        "C:\Users\Admin\AppData\Local\Temp\722755f8abadd964f9c03a81d077aff16089c1a65f57dae422337a4d1e0e2e2cN.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4512
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5088
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4244
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a79C4.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4920
          • C:\Users\Admin\AppData\Local\Temp\722755f8abadd964f9c03a81d077aff16089c1a65f57dae422337a4d1e0e2e2cN.exe
            "C:\Users\Admin\AppData\Local\Temp\722755f8abadd964f9c03a81d077aff16089c1a65f57dae422337a4d1e0e2e2cN.exe"
            4⤵
            • Executes dropped EXE
            PID:2908
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Adds Run key to start application
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:652
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4880
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4168
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4592
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4500

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\7-Zip\7z.exe.Exe
      Filesize

      605KB

      MD5

      8f3115a07221591386721d372621388c

      SHA1

      b144572d2c9681a798cb3a21bc069d4be675575c

      SHA256

      6c617cc0a9a799af9e5002a62efa4ed198d8e2694fdb8a27c6fd9107c5a4f8de

      SHA512

      cd2e4f1f6c5fb26688bca6db2af1013094fb9c43cc01ac4ff2e5d1e7c771c59e00c2ad354a245c087f303c65e73aa3c5bf8c88bdcaef9745281d3cc9039a46ab

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a79C4.bat
      Filesize

      728B

      MD5

      fb7251e4e9fa2423960125fb3a8f8f14

      SHA1

      f33b3ac399f944a70c42210308f2528e8079fc84

      SHA256

      03f9b52ee5624a9aebb8f6c58903a005bde610502a5d09120092a302f16cfaae

      SHA512

      f32cafd7524429df90aa5f37877846384660d160299c9705bcfd00b92bdd6d52318ed158fbc677f331feaec02ac476a97e11f1f9b98e381a5800d9206c9b6653

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\722755f8abadd964f9c03a81d077aff16089c1a65f57dae422337a4d1e0e2e2cN.exe.exe
      Filesize

      65KB

      MD5

      addde54c98ccf51c01387a9297708a16

      SHA1

      74c47a89f62657c6f3a7e2ad566aba637f5212c7

      SHA256

      b1ae79a575bd238d99808d3db04c165f6f314b9750da2cf4f6be18bf4d20854a

      SHA512

      1d3e15206d58b499d8475cb9aa8aa7cdfec0285820c27f172a6cb647f70ee178897e923b0e8577a150e53bcde78a40e97f68f1cc834c23fc79f2c6f981eee322

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      61KB

      MD5

      5f2f8191a8de3ba87b413b0d2de0b670

      SHA1

      9d15fb491a4b06192634559ee3bb84ce1e13b743

      SHA256

      2a19f1a3d48cd4fd311b72352ce2a05376a51eeb6905134589242090ca8bf530

      SHA512

      2626921762540490fab3b54169f4d18fbe6655bc680e407c20184e402d72f41af491c2a5271494e5e9d472181069e37863c75d90b1e46a8193715d9a341fc553

      Download Submit

    • C:\Windows\system32\drivers\etc\hosts
      Filesize

      842B

      MD5

      6f4adf207ef402d9ef40c6aa52ffd245

      SHA1

      4b05b495619c643f02e278dede8f5b1392555a57

      SHA256

      d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

      SHA512

      a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

      Download Submit

    • memory/652-11-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/652-20-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4512-0-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4512-1-0x0000000000510000-0x0000000000530000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4512-10-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download