Overview

overview

8

Static

static

ea9a79b7aa...d1.exe

windows7-x64

8

ea9a79b7aa...d1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 18:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea9a79b7aaae374ef7bcbadd9c57fad8b51ccaef0f1db94cef7eb026ec415bd1.exe

  • Size

    796KB

  • MD5

    a7fb756bfe894118dd9390ec584ed097

  • SHA1

    ee6baf27630b2da4c2c310240a15497954c33e73

  • SHA256

    ea9a79b7aaae374ef7bcbadd9c57fad8b51ccaef0f1db94cef7eb026ec415bd1

  • SHA512

    53996704b70ce7bff42a76c5df45037ef30b9f8dc4283c4ef0789fd4bcf41abd1b630608ace3cd2e29822668fdeb573d3d058330f41676748a2158374f35fe03

  • SSDEEP

    12288:d7tba8GV90fxf6JARzN9TbsltnlqvzFyqOF3Z4mxx9oEtlK+kt9T2Mhkdx2l:d7tbaTkfIARzN9Ml3qvorQmXuGCknK

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Modifies data under HKEY_USERS 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea9a79b7aaae374ef7bcbadd9c57fad8b51ccaef0f1db94cef7eb026ec415bd1.exe
    "C:\Users\Admin\AppData\Local\Temp\ea9a79b7aaae374ef7bcbadd9c57fad8b51ccaef0f1db94cef7eb026ec415bd1.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\uninstal.bat
      2⤵
      • Deletes itself
      PID:1364
  • C:\Windows\wg.exe
    C:\Windows\wg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:1792

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\AFDCMR.DAT
      Filesize

      55KB

      MD5

      6853cba3ccc11699c2d840f41c10393f

      SHA1

      80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

      SHA256

      0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

      SHA512

      a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

      Download Submit

    • C:\Windows\BZXZHO.DAT
      Filesize

      51KB

      MD5

      d58f992c53515c9f1fb9394a46f4cb48

      SHA1

      1f9909d227b93be10328e0abc64052da984657ba

      SHA256

      50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

      SHA512

      3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

      Download Submit

    • C:\Windows\uninstal.bat
      Filesize

      254B

      MD5

      1a4f9bd1d8098c16ce920df2e248962f

      SHA1

      c4b88d024b86d65ab35d2832b0d16cb4ddd0d085

      SHA256

      0ab6c38fe0748ec78c6c791123603926134dd7207270936a9bd7742a9fa947b0

      SHA512

      3d2fe572d3839685b9b69d600a8cb82347cbe4d0b76a002bd3f7085e041ab7dbeb6e33aa2d084d6e8072c5c6fe572a2cd3a2959c3348430fa7714ce50255c633

      Download Submit

    • C:\Windows\wg.exe
      Filesize

      796KB

      MD5

      a7fb756bfe894118dd9390ec584ed097

      SHA1

      ee6baf27630b2da4c2c310240a15497954c33e73

      SHA256

      ea9a79b7aaae374ef7bcbadd9c57fad8b51ccaef0f1db94cef7eb026ec415bd1

      SHA512

      53996704b70ce7bff42a76c5df45037ef30b9f8dc4283c4ef0789fd4bcf41abd1b630608ace3cd2e29822668fdeb573d3d058330f41676748a2158374f35fe03

      Download Submit

    • C:\Windows\wg.exe
      Filesize

      796KB

      MD5

      a7fb756bfe894118dd9390ec584ed097

      SHA1

      ee6baf27630b2da4c2c310240a15497954c33e73

      SHA256

      ea9a79b7aaae374ef7bcbadd9c57fad8b51ccaef0f1db94cef7eb026ec415bd1

      SHA512

      53996704b70ce7bff42a76c5df45037ef30b9f8dc4283c4ef0789fd4bcf41abd1b630608ace3cd2e29822668fdeb573d3d058330f41676748a2158374f35fe03

      Download Submit

    • memory/1376-62-0x0000000003FC0000-0x0000000003FD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1376-64-0x0000000003FE0000-0x0000000003FF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1376-65-0x0000000000400000-0x000000000053D000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1376-66-0x00000000002C0000-0x0000000000314000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1376-67-0x0000000003160000-0x0000000003260000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1376-72-0x0000000000400000-0x000000000053D000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1980-54-0x0000000075831000-0x0000000075833000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1980-57-0x0000000003280000-0x0000000003380000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1980-56-0x0000000000370000-0x00000000003C4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1980-69-0x0000000000400000-0x000000000053D000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1980-70-0x0000000000370000-0x00000000003C4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1980-55-0x0000000000400000-0x000000000053D000-memory.dmp

      Filesize

      1.2MB

      Download