Overview

overview

10

Static

static

44fcb60fa4...75.exe

windows7_x64

6

44fcb60fa4...75.exe

windows10_x64

10

Analysis

  • max time kernel
    125s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    15-09-2021 07:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44fcb60fa4a1d0535b891a0d7f603975.exe

  • Size

    917KB

  • MD5

    44fcb60fa4a1d0535b891a0d7f603975

  • SHA1

    d526556c835337c2ca87c00d3ce3e430751bb3e2

  • SHA256

    72a13a9e54e095c5878be67503dd808a7332cb631c4c615d65d69e2de47b080f

  • SHA512

    537679df43c2924a7d409a527c929cab061e97b135f94110957ce4cb4193efc79b8d9962a8e56969a822534a161755c4cb99bb1caaf5804fe55f849716b414bb

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44fcb60fa4a1d0535b891a0d7f603975.exe
    "C:\Users\Admin\AppData\Local\Temp\44fcb60fa4a1d0535b891a0d7f603975.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\SysWOW64\mshta.exe
      C:\Windows\System32\mshta.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 136
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1164-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1164-73-0x00000000003F0000-0x00000000003F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1880-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1880-72-0x0000000010590000-0x000000001060C000-memory.dmp
    Filesize

    496KB

    Download
  • memory/1880-71-0x00000000001B0000-0x00000000001B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1880-70-0x00000000000C0000-0x00000000000C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1880-69-0x0000000000080000-0x0000000000081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1984-63-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1984-64-0x00000000767B1000-0x00000000767B3000-memory.dmp
    Filesize

    8KB

    Download