Overview

overview

8

Static

static

a9bc4aeb94...7a.exe

windows7_x64

8

a9bc4aeb94...7a.exe

windows10_x64

8

Analysis

  • max time kernel
    112s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    05-12-2021 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9bc4aeb94664b8938a00b5301225d7a.exe

  • Size

    2.9MB

  • MD5

    a9bc4aeb94664b8938a00b5301225d7a

  • SHA1

    9a0ecb70fc029faeb968de0e639537d6baf525e4

  • SHA256

    94e99f4dbbf9739b71ee8dad26651b8cd01cd3c5bb6eb97da26d88991351cf6b

  • SHA512

    3382be368a3d4fc9cf3016dc2bcfc0eb6bf3345ba644441b2e1d8b4f37831216681b5c18e8692c3ea96f1b12df52255dffcc2ab85e5068609cc573b0ff98988c

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9bc4aeb94664b8938a00b5301225d7a.exe
    "C:\Users\Admin\AppData\Local\Temp\a9bc4aeb94664b8938a00b5301225d7a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Windows\SysWOW64\expand.exe
      expand
      2⤵
        PID:3756
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cmd < Confronto.vsd
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3944
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^zsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDk$" Che.vsd
            4⤵
              PID:2660
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com
              Ritroverai.exe.com B
              4⤵
              • Executes dropped EXE
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:1348
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com
                C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com B
                5⤵
                • Executes dropped EXE
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:652
                • C:\Windows\SysWOW64\nslookup.exe
                  C:\Windows\SysWOW64\nslookup.exe
                  6⤵
                    PID:1188
              • C:\Windows\SysWOW64\PING.EXE
                ping JQKTJDNJ
                4⤵
                • Runs ping.exe
                PID:868

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads