Overview

overview

8

Static

static

tmp/fca2ee...er.exe

windows7_x64

8

Resubmissions

29-12-2021 11:50

211229-nz3vsaddbl 8

29-12-2021 11:29

211229-nlssnaddak 10

28-12-2021 17:00

211228-vh1sescfan 10

Analysis

  • max time kernel
    30s
  • max time network
    29s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    29-12-2021 11:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp/fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe

  • Size

    397KB

  • MD5

    aff57ee1a4f3731c2036046910f78fb4

  • SHA1

    ef9627c0cadff85a3dfaab6aef0b7c885f03b186

  • SHA256

    3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4

  • SHA512

    5ae93c6dae61782a7ac2fa2079df7006e0655d73e32fd7df1a5c1d44e47fd7dd2da225ea6f93e9d3dcb09be5f84b5dab2130bb4f2d5b0e05d95e866ebde0163f

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Sets file execution options in registry 2 TTPs
    persistence
  • Modifies powershell logging option 1 TTPs
    evasion
  • Drops file in Windows directory 2 IoCs
  • Gathers network information 2 TTPs 6 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 42 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hk_aks02.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES198A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC197A.tmp"
        3⤵
          PID:1100
      • C:\Windows\system32\chcp.com
        "C:\Windows\system32\chcp.com" 437
        2⤵
          PID:336
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" interface portproxy show all
          2⤵
            PID:780
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:1292
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:1728
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:580
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" interface portproxy reset
            2⤵
              PID:1932
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" interface portproxy show all
              2⤵
                PID:1444
              • C:\Windows\system32\netsh.exe
                "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
                2⤵
                  PID:1604
                • C:\Windows\system32\netsh.exe
                  "C:\Windows\system32\netsh.exe" interface portproxy show all
                  2⤵
                    PID:668
                  • C:\Windows\system32\netsh.exe
                    "C:\Windows\system32\netsh.exe" interface portproxy show all
                    2⤵
                      PID:808
                    • C:\Windows\system32\NETSTAT.EXE
                      "C:\Windows\system32\NETSTAT.EXE" -na
                      2⤵
                      • Gathers network information
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1736
                    • C:\Windows\system32\NETSTAT.EXE
                      "C:\Windows\system32\NETSTAT.EXE" -na
                      2⤵
                      • Gathers network information
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2012
                    • C:\Windows\system32\NETSTAT.EXE
                      "C:\Windows\system32\NETSTAT.EXE" -na
                      2⤵
                      • Gathers network information
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1608
                  • C:\Windows\system32\taskmgr.exe
                    "C:\Windows\system32\taskmgr.exe" /4
                    1⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:832
                  • C:\Windows\system32\msiexec.exe
                    C:\Windows\system32\msiexec.exe /V
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1876
                  • C:\Windows\System32\control.exe
                    "C:\Windows\System32\control.exe" SYSTEM
                    1⤵
                      PID:892
                    • C:\Windows\SysWOW64\DllHost.exe
                      C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
                      1⤵
                        PID:1076

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/564-67-0x0000000002100000-0x0000000002102000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/832-57-0x000007FEFC3A1000-0x000007FEFC3A3000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/1076-91-0x0000000072FA1000-0x0000000072FA3000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/1076-89-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/1648-92-0x0000000000C40000-0x0000000000C59000-memory.dmp

                        Filesize

                        100KB

                        Download

                      • memory/1648-55-0x000007FEF3230000-0x000007FEF42C6000-memory.dmp

                        Filesize

                        16.6MB

                        Download

                      • memory/1648-56-0x0000000000C90000-0x0000000000C92000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/1648-90-0x0000000000CBD000-0x0000000000CBF000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/1648-58-0x000007FEF2540000-0x000007FEF309D000-memory.dmp

                        Filesize

                        11.4MB

                        Download