Overview

overview

3

Static

static

cda9310715...27.exe

windows10-2004_x64

3

Resubmissions

12-04-2022 11:48

220412-nyx8xabccl 3

12-04-2022 08:59

220412-kxqkwshehj 10

Analysis

  • max time kernel
    138s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    12-04-2022 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cda9310715b7a12f47b7c134260d5ff9200c147fc1d05f030e507e57e3582327.exe

  • Size

    624KB

  • MD5

    9ec8468dd4a81b0b35c499b31e67375e

  • SHA1

    6fa04992c0624c7aa3ca80da6a30e6de91226a16

  • SHA256

    cda9310715b7a12f47b7c134260d5ff9200c147fc1d05f030e507e57e3582327

  • SHA512

    bd6b37a0395f0ae508c54dcb62d5258adfb8c202605db8310c6b8758c3874bd2364491b1b129209ba1854df27f35149f891ac785a89fe26ddc45c40cad8023b2

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cda9310715b7a12f47b7c134260d5ff9200c147fc1d05f030e507e57e3582327.exe
    "C:\Users\Admin\AppData\Local\Temp\cda9310715b7a12f47b7c134260d5ff9200c147fc1d05f030e507e57e3582327.exe"
    1⤵
      PID:4844
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 476
        2⤵
        • Program crash
        PID:3444
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4844 -ip 4844
      1⤵
        PID:4788
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4612
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:224

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads