Overview

overview

10

Static

static

a024795c16...3d.exe

windows7_x64

6

a024795c16...3d.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    20-10-2021 06:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a024795c1658919d6d486d5b5ec3cf3d.exe

  • Size

    79KB

  • MD5

    a024795c1658919d6d486d5b5ec3cf3d

  • SHA1

    43252185f8b73d64cd398010bca860ec1ac94b52

  • SHA256

    6c37eeda0f1f8b8a33b982e32864e819a2f493fba1615cbca2724264de8ca340

  • SHA512

    4dc88c03e5f382189c1e05ecf2361a6606c21a3ab3ce4397b2c8cd272899bdb0d7a8a638dc64a681b36d39ec819dfaf405c0d1bc64622684673eaa3f11fee0ae

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a024795c1658919d6d486d5b5ec3cf3d.exe
    "C:\Users\Admin\AppData\Local\Temp\a024795c1658919d6d486d5b5ec3cf3d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Add-MpPreference -ExclusionPath C:\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Set-MpPreference -PUAProtection 1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications' -Name DisableNotifications -Value 1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1196
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    216573a96257d54ca9752c9557e92f7c

    SHA1

    164cc512f1c121c6d3612176e4f8b294fdfbf459

    SHA256

    cf210cbd331411f6c1af31fb044d77b6c67e0c0768e61366314df78f8df8671a

    SHA512

    da094cea08fb3c25ea516d35512694ece651919ccee5e44d40c7c497908ab87cc94476fbb990f6c9800070382c57406e5e3b22636a6394a1101cd902be97b92c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    216573a96257d54ca9752c9557e92f7c

    SHA1

    164cc512f1c121c6d3612176e4f8b294fdfbf459

    SHA256

    cf210cbd331411f6c1af31fb044d77b6c67e0c0768e61366314df78f8df8671a

    SHA512

    da094cea08fb3c25ea516d35512694ece651919ccee5e44d40c7c497908ab87cc94476fbb990f6c9800070382c57406e5e3b22636a6394a1101cd902be97b92c

    Download Submit
  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • memory/360-90-0x000000001B590000-0x000000001B592000-memory.dmp
    Filesize

    8KB

    Download
  • memory/360-83-0x0000000140000000-0x0000000140016000-memory.dmp
    Filesize

    88KB

    Download
  • memory/360-84-0x0000000140000000-0x0000000140016000-memory.dmp
    Filesize

    88KB

    Download
  • memory/360-85-0x0000000140000000-0x0000000140016000-memory.dmp
    Filesize

    88KB

    Download
  • memory/360-86-0x0000000140000000-0x0000000140016000-memory.dmp
    Filesize

    88KB

    Download
  • memory/360-87-0x0000000140000000-mapping.dmp
    Download
  • memory/756-59-0x00000000026E2000-0x00000000026E4000-memory.dmp
    Filesize

    8KB

    Download
  • memory/756-62-0x00000000026EB000-0x000000000270A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/756-61-0x000000001B710000-0x000000001BA0F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/756-58-0x00000000026E0000-0x00000000026E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/756-60-0x00000000026E4000-0x00000000026E7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/756-57-0x000007FEEE150000-0x000007FEEECAD000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/756-56-0x000007FEFBA11000-0x000007FEFBA13000-memory.dmp
    Filesize

    8KB

    Download
  • memory/756-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1196-80-0x000000001B750000-0x000000001BA4F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1196-81-0x000000000258B000-0x00000000025AA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1196-72-0x0000000000000000-mapping.dmp
    Download
  • memory/1196-76-0x000007FEEE150000-0x000007FEEECAD000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1196-77-0x0000000002580000-0x0000000002582000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1196-79-0x0000000002584000-0x0000000002587000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1196-78-0x0000000002582000-0x0000000002584000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1412-71-0x000000000257B000-0x000000000259A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1412-68-0x0000000002570000-0x0000000002572000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1412-70-0x0000000002574000-0x0000000002577000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1412-69-0x0000000002572000-0x0000000002574000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1412-67-0x000000001B700000-0x000000001B9FF000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1412-66-0x000007FEEE150000-0x000007FEEECAD000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1412-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1524-53-0x000000013F150000-0x000000013F151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1524-82-0x000000001B970000-0x000000001B972000-memory.dmp
    Filesize

    8KB

    Download