Overview

overview

6

Static

static

3

22f08dd11d...16.exe

windows7-x64

6

22f08dd11d...16.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 07:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22f08dd11d2dc63f24de7fbebac3bcdcaac9a99ae4bf9629660a40cf81ed4f16.exe

  • Size

    27KB

  • MD5

    ec7ef612228019e1953b6359806b7ee9

  • SHA1

    f32b6540896e44388bd223837a3c042ce652ebbd

  • SHA256

    22f08dd11d2dc63f24de7fbebac3bcdcaac9a99ae4bf9629660a40cf81ed4f16

  • SHA512

    930cb248bde09bb5533484966a2bd1b10322db13288ea68ac9c17653d3b8c843d15daf6e8eb9ce930d1086a332f263f170295b6c8a96004621a5d94fe7f8ab37

  • SSDEEP

    384:MS8D1Gt5M0zhIV/DZ3KZp7JcTO4yf9KFL/KaUUqd3qR+FlYTj9QTN0wpD9p5Cs:KD16GVRu1yK9fMFLKaTxsujCT7pZpY

Score
6/10
discovery

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3564
      • C:\Users\Admin\AppData\Local\Temp\22f08dd11d2dc63f24de7fbebac3bcdcaac9a99ae4bf9629660a40cf81ed4f16.exe
        "C:\Users\Admin\AppData\Local\Temp\22f08dd11d2dc63f24de7fbebac3bcdcaac9a99ae4bf9629660a40cf81ed4f16.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1768
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1036
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3596

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\dotnet\dotnet.exe
      Filesize

      170KB

      MD5

      f49f03760b60eea9bf77edf279f6c2a8

      SHA1

      8ed230e5ed2359d28b23493aa53547b212b0f4f0

      SHA256

      73a771064beec49df67d7f0d2000958a7589f3b7f6f3f87ea246cafa63ae94af

      SHA512

      48ba5149a1e383566439119208f242cf69013e614cea1f93261dba4c389934ac6dbb524972798578a59613957704c1c415f8c90224babbd6f2bfb7c248b26c58

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      637KB

      MD5

      9cba1e86016b20490fff38fb45ff4963

      SHA1

      378720d36869d50d06e9ffeef87488fbc2a8c8f7

      SHA256

      a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19

      SHA512

      2f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-4050598569-1597076380-177084960-1000\_desktop.ini
      Filesize

      10B

      MD5

      291aa08828faa68893c7f89a0dfc158b

      SHA1

      fcae3d190f0d8c14b44dc2be0b627b0680d2eab9

      SHA256

      f9e79f635e09441b5a073e6263a1d1de881c2105d7637650b5ec2d20f6a7c841

      SHA512

      9c80a5e3e37731eb0eba85b496e512dbfe08c77c207bcb41ad429d289e3d348e8e7b83ef00052c445581df37aa60729a4f0c2dd3ed0ed2e5d05a8758a23f1f38

      Download Submit

    • memory/1768-22-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1768-13-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1768-18-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1768-0-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1768-6-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1768-496-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1768-1219-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1768-4770-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1768-5-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1768-5243-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download