Overview

overview

10

Static

static

03fa9b831b...84.exe

windows7-x64

10

03fa9b831b...84.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    106s
  • max time network
    163s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2022, 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03fa9b831b2526b0979906006056f3122208d6fcfdc01117d1e8a27fd2155784.exe

  • Size

    223KB

  • MD5

    46b53f7b55c770d09ffa12c65bea34a6

  • SHA1

    8a6003ff0d07c5b3fb0e69428328d3c46b699469

  • SHA256

    03fa9b831b2526b0979906006056f3122208d6fcfdc01117d1e8a27fd2155784

  • SHA512

    3d10903f2a0ef003e87d522c888054c8db9ef009ab41942f0e9fc3a739cbaeaf972ba37394bfa259e08480305e049ba2ab9b912745808f2f60f08357656576bb

  • SSDEEP

    3072:gEHPJBytw176VhQO3c5ZxW5R1cmgwq18KGm0usOLUUG:gyhwq1eHQO3chCcTwSdAeH

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 22 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Unexpected DNS network traffic destination 9 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Modifies registry class 6 IoCs
  • NTFS ADS 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:460
  • C:\Users\Admin\AppData\Local\Temp\03fa9b831b2526b0979906006056f3122208d6fcfdc01117d1e8a27fd2155784.exe
    "C:\Users\Admin\AppData\Local\Temp\03fa9b831b2526b0979906006056f3122208d6fcfdc01117d1e8a27fd2155784.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Local\Temp\03fa9b831b2526b0979906006056f3122208d6fcfdc01117d1e8a27fd2155784.exe
      "C:\Users\Admin\AppData\Local\Temp\03fa9b831b2526b0979906006056f3122208d6fcfdc01117d1e8a27fd2155784.exe"
      2⤵
      • Modifies security service
      • Registers COM server for autorun
      • Drops file in Program Files directory
      • Modifies registry class
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1900
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1268

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\@
    Filesize

    2KB

    MD5

    57cfc364d18bf71fc9a2622fed429464

    SHA1

    dd7db102d6e42e72b8e8a6ca60d6384b2b89cb4e

    SHA256

    dc975308a4a86e1b7a7819cf6305dd5551150e826d6ac684b30cdddc44685c9c

    SHA512

    0d005e2fbfc5d3126e6f9b3085107ec08c05d6b96803c7f172151d08b2146b40cd31333392f2a028e2827a8d847f1af498de3ae99435bf2b5b5a14ae1907eed5

    Download Submit

  • C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n
    Filesize

    25KB

    MD5

    9e0cd37b6d0809cf7d5fa5b521538d0d

    SHA1

    411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

    SHA256

    55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

    SHA512

    b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

    Download Submit

  • C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n
    Filesize

    25KB

    MD5

    9e0cd37b6d0809cf7d5fa5b521538d0d

    SHA1

    411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

    SHA256

    55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

    SHA512

    b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

    Download Submit

  • \$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n
    Filesize

    25KB

    MD5

    9e0cd37b6d0809cf7d5fa5b521538d0d

    SHA1

    411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

    SHA256

    55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

    SHA512

    b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

    Download Submit

  • \$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n
    Filesize

    25KB

    MD5

    9e0cd37b6d0809cf7d5fa5b521538d0d

    SHA1

    411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

    SHA256

    55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

    SHA512

    b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

    Download Submit

  • memory/1900-65-0x0000000000290000-0x00000000002BC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1900-66-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1900-59-0x0000000000320000-0x000000000035C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1900-70-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2004-64-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2004-63-0x0000000000270000-0x000000000029C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2004-71-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download