Overview

overview

10

Static

static

ebd187987d...ca.exe

windows7-x64

10

ebd187987d...ca.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2022 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ebd187987d3d0b922fba1741bd96312798ef1888816a325766747866ca8d15ca.exe

  • Size

    206KB

  • MD5

    635a5aad75a562b40d9cd3e23f61bc77

  • SHA1

    07718f751fc0fac84d01849f25ff38ea1403d1f9

  • SHA256

    ebd187987d3d0b922fba1741bd96312798ef1888816a325766747866ca8d15ca

  • SHA512

    73fb6e3672839a73c79ea3f962f224b3598d476165343bff594dafcf1e8cb2705ddfd2190a66970f38f317b26897cd25ac98f0def07993ec5e5319f8df40074b

  • SSDEEP

    3072:JUdas6F7Oq4W+qWFG/zY//HlIwFlbThSAFP2jfhld03iuRXCpSvFWBMuQVxtt3ZP:xp0GZenU+2jfdkiuBvvF1l5Fg

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 17 IoCs
    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies registry class 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ebd187987d3d0b922fba1741bd96312798ef1888816a325766747866ca8d15ca.exe
    "C:\Users\Admin\AppData\Local\Temp\ebd187987d3d0b922fba1741bd96312798ef1888816a325766747866ca8d15ca.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:364
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1620
      • C:\Users\Admin\AppData\Local\Temp\ebd187987d3d0b922fba1741bd96312798ef1888816a325766747866ca8d15ca.exe
        "C:\Users\Admin\AppData\Local\Temp\ebd187987d3d0b922fba1741bd96312798ef1888816a325766747866ca8d15ca.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1704
        • C:\Users\Admin\AppData\Local\twc.exe
          "C:\Users\Admin\AppData\Local\twc.exe" -gav C:\Users\Admin\AppData\Local\Temp\ebd187987d3d0b922fba1741bd96312798ef1888816a325766747866ca8d15ca.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1960
          • C:\Users\Admin\AppData\Local\twc.exe
            "C:\Users\Admin\AppData\Local\twc.exe" -gav C:\Users\Admin\AppData\Local\Temp\ebd187987d3d0b922fba1741bd96312798ef1888816a325766747866ca8d15ca.exe
            4⤵
            • Modifies system executable filetype association
            • Executes dropped EXE
            • Deletes itself
            • Adds Run key to start application
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1764
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2036
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x594
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1616

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\twc.exe
      Filesize

      206KB

      MD5

      635a5aad75a562b40d9cd3e23f61bc77

      SHA1

      07718f751fc0fac84d01849f25ff38ea1403d1f9

      SHA256

      ebd187987d3d0b922fba1741bd96312798ef1888816a325766747866ca8d15ca

      SHA512

      73fb6e3672839a73c79ea3f962f224b3598d476165343bff594dafcf1e8cb2705ddfd2190a66970f38f317b26897cd25ac98f0def07993ec5e5319f8df40074b

      Download Submit

    • C:\Users\Admin\AppData\Local\twc.exe
      Filesize

      206KB

      MD5

      635a5aad75a562b40d9cd3e23f61bc77

      SHA1

      07718f751fc0fac84d01849f25ff38ea1403d1f9

      SHA256

      ebd187987d3d0b922fba1741bd96312798ef1888816a325766747866ca8d15ca

      SHA512

      73fb6e3672839a73c79ea3f962f224b3598d476165343bff594dafcf1e8cb2705ddfd2190a66970f38f317b26897cd25ac98f0def07993ec5e5319f8df40074b

      Download Submit

    • C:\Users\Admin\AppData\Local\twc.exe
      Filesize

      206KB

      MD5

      635a5aad75a562b40d9cd3e23f61bc77

      SHA1

      07718f751fc0fac84d01849f25ff38ea1403d1f9

      SHA256

      ebd187987d3d0b922fba1741bd96312798ef1888816a325766747866ca8d15ca

      SHA512

      73fb6e3672839a73c79ea3f962f224b3598d476165343bff594dafcf1e8cb2705ddfd2190a66970f38f317b26897cd25ac98f0def07993ec5e5319f8df40074b

      Download Submit

    • \Users\Admin\AppData\Local\twc.exe
      Filesize

      206KB

      MD5

      635a5aad75a562b40d9cd3e23f61bc77

      SHA1

      07718f751fc0fac84d01849f25ff38ea1403d1f9

      SHA256

      ebd187987d3d0b922fba1741bd96312798ef1888816a325766747866ca8d15ca

      SHA512

      73fb6e3672839a73c79ea3f962f224b3598d476165343bff594dafcf1e8cb2705ddfd2190a66970f38f317b26897cd25ac98f0def07993ec5e5319f8df40074b

      Download Submit

    • \Users\Admin\AppData\Local\twc.exe
      Filesize

      206KB

      MD5

      635a5aad75a562b40d9cd3e23f61bc77

      SHA1

      07718f751fc0fac84d01849f25ff38ea1403d1f9

      SHA256

      ebd187987d3d0b922fba1741bd96312798ef1888816a325766747866ca8d15ca

      SHA512

      73fb6e3672839a73c79ea3f962f224b3598d476165343bff594dafcf1e8cb2705ddfd2190a66970f38f317b26897cd25ac98f0def07993ec5e5319f8df40074b

      Download Submit

    • memory/1620-54-0x0000000000000000-mapping.dmp

      Download

    • memory/1704-58-0x0000000000400000-0x00000000005F1000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1704-56-0x0000000000400000-0x00000000005F1000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1704-63-0x0000000076681000-0x0000000076683000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1704-61-0x0000000000400000-0x00000000005F1000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1704-55-0x0000000000400000-0x00000000005F1000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1704-60-0x0000000000401010-mapping.dmp

      Download

    • memory/1704-59-0x0000000000400000-0x00000000005F1000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1704-68-0x0000000000400000-0x00000000005F1000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1704-62-0x0000000000790000-0x0000000000A47000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/1764-76-0x0000000000401010-mapping.dmp

      Download

    • memory/1764-79-0x0000000000400000-0x00000000005F1000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1764-80-0x00000000748C1000-0x00000000748C3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1764-81-0x0000000000400000-0x00000000005F1000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1960-66-0x0000000000000000-mapping.dmp

      Download

    • memory/2036-69-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp

      Filesize

      8KB

      Download