Overview

overview

7

Static

static

3

3f429a952a...0a.exe

windows7-x64

7

3f429a952a...0a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    57s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-04-2024 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe

  • Size

    83KB

  • MD5

    3ac03c32ba869f1919e36b1595ff3a67

  • SHA1

    2ddd627495c03901e109097b05857aae4a565325

  • SHA256

    3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a

  • SHA512

    46bc724fc72a0ec89c243d47751f1e69ea6abe006c3ae70e15a1ea36dfbc963c00baa8c48fdc88ffefc33f537793d72f4c690afc41afd987acff735cf448fad4

  • SSDEEP

    1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWO1P9rLlW:GhfxHNIreQm+Hi2P9rLlW

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
    "C:\Users\Admin\AppData\Local\Temp\3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\system\rundll32.exe
      C:\Windows\system\rundll32.exe
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:5112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\notepad¢¬.exe
    Filesize

    79KB

    MD5

    1a5fb433bd9b417300580bd5657a70c8

    SHA1

    13961eeb43b39a734a67583bac753cec7c3fe632

    SHA256

    b31c32ff59a37360f79422a7ce2e394292051f95b9086b69ddaab2b976a49ac1

    SHA512

    d4865b4935ef2451cbacd5bbdbb4b4aab1fec5fc2f9ae42ab20eec1ebc6b81ada140209438661e731b923f2c1ebc24cb912af948446d109bab0dbc108bb908d4

    Download Submit
  • C:\Windows\System\rundll32.exe
    Filesize

    75KB

    MD5

    37a8b6be086e97a0dc1ef3da48fd3417

    SHA1

    d4eef7f2aeebde90da760558be5a6fae3e3e5645

    SHA256

    03c9560b6b71898bbda63c30fb3eda944c4d04376a692a6272a94886bf70f071

    SHA512

    1af30e96be07659ec3f56dda864ec1e0b3b260f86a25ea861a40a8b28de7327036af2e331cb34b7eeaff479ee33286386d816c36d88b2938f2c5659a48797246

    Download Submit
  • memory/3024-0-0x0000000000400000-0x0000000000415A00-memory.dmp
    Filesize

    86KB

    Download
  • memory/3024-14-0x0000000000400000-0x0000000000415A00-memory.dmp
    Filesize

    86KB

    Download
  • memory/5112-12-0x0000000000400000-0x0000000000415A00-memory.dmp
    Filesize

    86KB

    Download