Overview

overview

10

Static

static

2732aa8029...8c.exe

windows7_x64

10

2732aa8029...8c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    174s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    16-06-2022 05:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2732aa8029af8c346964765afc897b8786933b9bebd41c0fcca325a8c7ad608c.exe

  • Size

    378KB

  • MD5

    002dccebb515daedd0dcf2e423eead5e

  • SHA1

    f4246de95b2e6f3989be1fba0ed1bb079a809ad7

  • SHA256

    2732aa8029af8c346964765afc897b8786933b9bebd41c0fcca325a8c7ad608c

  • SHA512

    cc57a70b2c9e28979abcac6ba26bde4c2ffeacdf06a370e8544e557bff58e2324f87fea1b51a3bc8c23a3172282056180b4db0ea613b0906a26e667480a535ff

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2732aa8029af8c346964765afc897b8786933b9bebd41c0fcca325a8c7ad608c.exe
    "C:\Users\Admin\AppData\Local\Temp\2732aa8029af8c346964765afc897b8786933b9bebd41c0fcca325a8c7ad608c.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3140
    • C:\Windows\8486227214447239\winyewm.exe
      C:\Windows\8486227214447239\winyewm.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      PID:2504
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 552
      2⤵
      • Program crash
      PID:2060
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3140 -ip 3140
    1⤵
      PID:4492

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    4
    T1112

    Disabling Security Tools

    3
    T1089

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\8486227214447239\winyewm.exe
      Filesize

      378KB

      MD5

      002dccebb515daedd0dcf2e423eead5e

      SHA1

      f4246de95b2e6f3989be1fba0ed1bb079a809ad7

      SHA256

      2732aa8029af8c346964765afc897b8786933b9bebd41c0fcca325a8c7ad608c

      SHA512

      cc57a70b2c9e28979abcac6ba26bde4c2ffeacdf06a370e8544e557bff58e2324f87fea1b51a3bc8c23a3172282056180b4db0ea613b0906a26e667480a535ff

      Download Submit
    • C:\Windows\8486227214447239\winyewm.exe
      Filesize

      378KB

      MD5

      002dccebb515daedd0dcf2e423eead5e

      SHA1

      f4246de95b2e6f3989be1fba0ed1bb079a809ad7

      SHA256

      2732aa8029af8c346964765afc897b8786933b9bebd41c0fcca325a8c7ad608c

      SHA512

      cc57a70b2c9e28979abcac6ba26bde4c2ffeacdf06a370e8544e557bff58e2324f87fea1b51a3bc8c23a3172282056180b4db0ea613b0906a26e667480a535ff

      Download Submit
    • memory/2504-133-0x0000000000000000-mapping.dmp
      Download
    • memory/2504-136-0x0000000000A13000-0x0000000000A18000-memory.dmp
      Filesize

      20KB

      Download
    • memory/2504-137-0x0000000000A13000-0x0000000000A18000-memory.dmp
      Filesize

      20KB

      Download
    • memory/2504-138-0x0000000000400000-0x000000000093C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/2504-140-0x0000000000400000-0x000000000093C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3140-130-0x0000000000B23000-0x0000000000B28000-memory.dmp
      Filesize

      20KB

      Download
    • memory/3140-131-0x0000000000B23000-0x0000000000B28000-memory.dmp
      Filesize

      20KB

      Download
    • memory/3140-132-0x0000000000400000-0x000000000093C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3140-139-0x0000000000400000-0x000000000093C000-memory.dmp
      Filesize

      5.2MB

      Download