Overview

overview

10

Static

static

e6913a428a...ea.exe

windows7-x64

10

e6913a428a...ea.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6913a428accbba93f41dd2a18190c4f7c9fb5657784cdbf534254dc34af2bea.exe

  • Size

    164KB

  • MD5

    3a8c8db34863fd1447a35e1f22a8aa50

  • SHA1

    548f8baa3c306b40825b396ea7f4892cb5e9ada7

  • SHA256

    e6913a428accbba93f41dd2a18190c4f7c9fb5657784cdbf534254dc34af2bea

  • SHA512

    6ef664ea360bc64aba6a4aa0a1469b798ec2ac15629f9db0fff4e7aeadb009bf39797ad149bf5b4585f308766286b473faee38d3f7434802d8e4a6abd99040b1

  • SSDEEP

    3072:Kq5UOGKNYWx8eY9twvBMEvcaJfIsdlxhy9lyi31YKL7:V5UO2A09KFTp1hyui3Xn

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6913a428accbba93f41dd2a18190c4f7c9fb5657784cdbf534254dc34af2bea.exe
    "C:\Users\Admin\AppData\Local\Temp\e6913a428accbba93f41dd2a18190c4f7c9fb5657784cdbf534254dc34af2bea.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops autorun.inf file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4140
    • C:\Program Files\Microsoft Office\Root\Office16\winword.exe
      "C:\Program Files\Microsoft Office\Root\Office16\winword.exe"
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1120
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 728
      2⤵
      • Program crash
      PID:1428
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4140 -ip 4140
    1⤵
      PID:4188

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1120-138-0x00007FFE78230000-0x00007FFE78240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1120-134-0x00007FFE78230000-0x00007FFE78240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1120-135-0x00007FFE78230000-0x00007FFE78240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1120-136-0x00007FFE78230000-0x00007FFE78240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1120-137-0x00007FFE78230000-0x00007FFE78240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1120-139-0x00007FFE75E50000-0x00007FFE75E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1120-140-0x00007FFE75E50000-0x00007FFE75E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1120-142-0x00007FFE78230000-0x00007FFE78240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1120-143-0x00007FFE78230000-0x00007FFE78240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1120-144-0x00007FFE78230000-0x00007FFE78240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1120-145-0x00007FFE78230000-0x00007FFE78240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4140-133-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download