Overview

overview

10

Static

static

15179b743d...95.exe

windows7_x64

10

15179b743d...95.exe

windows10_x64

10

4fa1176e4a...91.exe

windows7_x64

10

4fa1176e4a...91.exe

windows10_x64

10

b51944f544...6a.exe

windows7_x64

10

b51944f544...6a.exe

windows10_x64

10

b91245cf0f...42.exe

windows7_x64

10

b91245cf0f...42.exe

windows10_x64

8

cd2eb403d5...71.exe

windows7_x64

10

cd2eb403d5...71.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    18-10-2021 09:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b91245cf0fafad7150a5bc335335b2342f39bf920eb81ca8d6b890ebae737e42.exe

  • Size

    366KB

  • MD5

    abd24faa60515f22c32a5f03d2473620

  • SHA1

    5e0b8b5c062839c839367f651e9fed8f3171328a

  • SHA256

    b91245cf0fafad7150a5bc335335b2342f39bf920eb81ca8d6b890ebae737e42

  • SHA512

    3306506a865b51b1c25a35d49e1fee5752371b7a917bd6adbb84e94d523e5b536372f6a2ce9dbc064939cf4f9c57fcfdc45bcd839a9d7fcdc6a12618e368ae06

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 24 IoCs
  • Modifies data under HKEY_USERS 11 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b91245cf0fafad7150a5bc335335b2342f39bf920eb81ca8d6b890ebae737e42.exe
    "C:\Users\Admin\AppData\Local\Temp\b91245cf0fafad7150a5bc335335b2342f39bf920eb81ca8d6b890ebae737e42.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\SysWOW64\cmd.exe
      /c del C:\Users\Admin\AppData\Local\Temp\b91245cf0fafad7150a5bc335335b2342f39bf920eb81ca8d6b890ebae737e42.exe >> NUL
      2⤵
        PID:820
    • C:\Windows\SysWOW64\WinSrv.exe
      C:\Windows\SysWOW64\WinSrv.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\System32\svchost.exe
        2⤵
          PID:1092

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Install Root Certificate

      1
      T1130

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\WinSrv.exe
        MD5

        abd24faa60515f22c32a5f03d2473620

        SHA1

        5e0b8b5c062839c839367f651e9fed8f3171328a

        SHA256

        b91245cf0fafad7150a5bc335335b2342f39bf920eb81ca8d6b890ebae737e42

        SHA512

        3306506a865b51b1c25a35d49e1fee5752371b7a917bd6adbb84e94d523e5b536372f6a2ce9dbc064939cf4f9c57fcfdc45bcd839a9d7fcdc6a12618e368ae06

        Download Submit
      • C:\Windows\SysWOW64\WinSrv.exe
        MD5

        abd24faa60515f22c32a5f03d2473620

        SHA1

        5e0b8b5c062839c839367f651e9fed8f3171328a

        SHA256

        b91245cf0fafad7150a5bc335335b2342f39bf920eb81ca8d6b890ebae737e42

        SHA512

        3306506a865b51b1c25a35d49e1fee5752371b7a917bd6adbb84e94d523e5b536372f6a2ce9dbc064939cf4f9c57fcfdc45bcd839a9d7fcdc6a12618e368ae06

        Download Submit
      • memory/820-120-0x0000000000000000-mapping.dmp
        Download
      • memory/2432-115-0x0000000002050000-0x000000000206F000-memory.dmp
        Filesize

        124KB

        Download
      • memory/2432-116-0x0000000000400000-0x000000000045F000-memory.dmp
        Filesize

        380KB

        Download
      • memory/2476-119-0x0000000000400000-0x000000000045F000-memory.dmp
        Filesize

        380KB

        Download