Overview

overview

8

Static

static

27ae5cc7fc...f1.exe

windows7_x64

8

27ae5cc7fc...f1.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    154s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    16-06-2022 03:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exe

  • Size

    133KB

  • MD5

    10b32b96f5a972db48a0681e7aa344d7

  • SHA1

    5d9bb1f7318f6e00933384239fba223bdb5f4edb

  • SHA256

    27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1

  • SHA512

    d9ac26b7a069da2f2e9a6094908763b2b801acf7648cf5243eaf848e32d063215db27ee927904abd7efc0fcf349d1deae05404e359921a6dca6ce791fb0a700e

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3272
      • C:\Users\Admin\AppData\Local\Temp\27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exe
        "C:\Users\Admin\AppData\Local\Temp\27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Users\Admin\AppData\Roaming\Installed\windefender.exe
          "C:\Users\Admin\AppData\Roaming\Installed\windefender.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4372

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Installed\windefender.exe
      Filesize

      133KB

      MD5

      10b32b96f5a972db48a0681e7aa344d7

      SHA1

      5d9bb1f7318f6e00933384239fba223bdb5f4edb

      SHA256

      27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1

      SHA512

      d9ac26b7a069da2f2e9a6094908763b2b801acf7648cf5243eaf848e32d063215db27ee927904abd7efc0fcf349d1deae05404e359921a6dca6ce791fb0a700e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Installed\windefender.exe
      Filesize

      133KB

      MD5

      10b32b96f5a972db48a0681e7aa344d7

      SHA1

      5d9bb1f7318f6e00933384239fba223bdb5f4edb

      SHA256

      27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1

      SHA512

      d9ac26b7a069da2f2e9a6094908763b2b801acf7648cf5243eaf848e32d063215db27ee927904abd7efc0fcf349d1deae05404e359921a6dca6ce791fb0a700e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\ntkrnl
      Filesize

      133KB

      MD5

      aa3ca1db3e8f40290c98e832df59706b

      SHA1

      3b1aed6735fca16a1ad3dcfaf6e577bf151f2a78

      SHA256

      011a83120e5882992f3fc21ba4b1e3390d5cb84cd6773426f8589533d69631b9

      SHA512

      110c3e0e954582494f26d2ffcbd19b7c9b0641fb2737784e137b907f832633c59caf2e08611c8f932d0f663fb15723b159a7546c5a25ce9fb26de0d409e7ea1a

      Download Submit
    • memory/4372-130-0x0000000000000000-mapping.dmp
      Download