Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-07-2021 15:03
Static task
static1
Behavioral task
behavioral1
Sample
04436C72506D84210A597C57880DBE3E.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
04436C72506D84210A597C57880DBE3E.exe
-
Size
1.4MB
-
MD5
04436c72506d84210a597c57880dbe3e
-
SHA1
d77bf018b1fa76215f2ca680e4cf25ad034eb271
-
SHA256
87fbd9577039b209cd0ce825d1c79aad0def611625b737fa3abe70802da4d6f4
-
SHA512
4dcfcc70d77c0fcf0fc74622f37cd176f0130bf8158330a6588d6c4c5bfcafc082dd003d514a10bbb01b12af575a3558d6255e65fd6ca90204e886d3f6a92064
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
04436C72506D84210A597C57880DBE3E.exedescription ioc process File opened (read-only) \??\L: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\N: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\P: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\U: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\H: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\S: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\T: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\X: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\Y: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\Z: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\M: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\B: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\F: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\G: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\K: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\R: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\V: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\A: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\I: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\J: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\O: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\Q: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\W: 04436C72506D84210A597C57880DBE3E.exe File opened (read-only) \??\E: 04436C72506D84210A597C57880DBE3E.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
04436C72506D84210A597C57880DBE3E.exepid process 1084 04436C72506D84210A597C57880DBE3E.exe 1084 04436C72506D84210A597C57880DBE3E.exe 1084 04436C72506D84210A597C57880DBE3E.exe 1084 04436C72506D84210A597C57880DBE3E.exe 1084 04436C72506D84210A597C57880DBE3E.exe 1084 04436C72506D84210A597C57880DBE3E.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
04436C72506D84210A597C57880DBE3E.exedescription pid process Token: SeDebugPrivilege 1084 04436C72506D84210A597C57880DBE3E.exe Token: SeShutdownPrivilege 1084 04436C72506D84210A597C57880DBE3E.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
04436C72506D84210A597C57880DBE3E.exepid process 1084 04436C72506D84210A597C57880DBE3E.exe 1084 04436C72506D84210A597C57880DBE3E.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04436C72506D84210A597C57880DBE3E.exe"C:\Users\Admin\AppData\Local\Temp\04436C72506D84210A597C57880DBE3E.exe"1⤵
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1084-59-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB