Overview

overview

10

Static

static

7f78edb434...02.exe

windows7-x64

8

7f78edb434...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    100s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2022 01:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f78edb4342a13fb5534588c49b0ab64e67026b627accedadee2a92473437a02.exe

  • Size

    470KB

  • MD5

    15a861b54403084db2cfabc2f7e0dd40

  • SHA1

    6498b6fc584cc8af7265874b8bd9af77218760fb

  • SHA256

    7f78edb4342a13fb5534588c49b0ab64e67026b627accedadee2a92473437a02

  • SHA512

    6532568dd8fb03ac5573ece2019cac67eafbb4f51b50a56cd87976a92a06f3350c31043c7e08ab5049487e37bd7ee45a84e158867ddd0f271b73ba662010e80c

  • SSDEEP

    6144:+8SRDa8qLzrqUeQfHR2sle1tgk25MBqpp6joQ68SRDa8qLzrqUeQfHR2sle1tgkm:EPKrnsrkOBqdPKrnsrkOBqp

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Runs ping.exe 1 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f78edb4342a13fb5534588c49b0ab64e67026b627accedadee2a92473437a02.exe
    "C:\Users\Admin\AppData\Local\Temp\7f78edb4342a13fb5534588c49b0ab64e67026b627accedadee2a92473437a02.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
        PID:604
      • C:\Windows\SysWOW64\attrib.exe
        "C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\7f78edb4342a13fb5534588c49b0ab64e67026b627accedadee2a92473437a02.exe
        2⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:1676
      • C:\Windows\SysWOW64\ping.exe
        C:\Windows\System32\ping.exe google.com
        2⤵
        • Runs ping.exe
        PID:1424
      • C:\Windows\SysWOW64\ping.exe
        C:\Windows\System32\ping.exe google.com
        2⤵
        • Runs ping.exe
        PID:1912
      • C:\Windows\SysWOW64\ping.exe
        C:\Windows\System32\ping.exe google.com
        2⤵
        • Runs ping.exe
        PID:652
      • C:\Windows\SysWOW64\ping.exe
        C:\Windows\System32\ping.exe google.com
        2⤵
        • Runs ping.exe
        PID:304
      • C:\Windows\SysWOW64\ping.exe
        C:\Windows\System32\ping.exe google.com
        2⤵
        • Runs ping.exe
        PID:732
      • C:\Windows\SysWOW64\ping.exe
        C:\Windows\System32\ping.exe google.com
        2⤵
        • Runs ping.exe
        PID:776
      • C:\Windows\SysWOW64\ping.exe
        C:\Windows\System32\ping.exe google.com
        2⤵
        • Runs ping.exe
        PID:1868
      • C:\Windows\SysWOW64\ping.exe
        C:\Windows\System32\ping.exe google.com
        2⤵
        • Runs ping.exe
        PID:1796
      • C:\Windows\SysWOW64\ping.exe
        C:\Windows\System32\ping.exe google.com
        2⤵
        • Runs ping.exe
        PID:1684
      • C:\Windows\SysWOW64\ping.exe
        C:\Windows\System32\ping.exe google.com
        2⤵
        • Runs ping.exe
        PID:1620
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
        2⤵
        • Adds Run key to start application
        PID:1164
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
        2⤵
        • Adds Run key to start application
        PID:1652
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
        2⤵
        • Adds Run key to start application
        PID:1636
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
        2⤵
        • Adds Run key to start application
        PID:1784

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Hidden Files and Directories

    2
    T1158

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Hidden Files and Directories

    2
    T1158

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/304-61-0x0000000000000000-mapping.dmp
      Download
    • memory/652-60-0x0000000000000000-mapping.dmp
      Download
    • memory/732-62-0x0000000000000000-mapping.dmp
      Download
    • memory/776-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1164-68-0x0000000000000000-mapping.dmp
      Download
    • memory/1424-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1620-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1636-70-0x0000000000000000-mapping.dmp
      Download
    • memory/1652-69-0x0000000000000000-mapping.dmp
      Download
    • memory/1676-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1684-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1736-54-0x0000000076411000-0x0000000076413000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1736-56-0x0000000074970000-0x0000000074F1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1736-55-0x0000000074970000-0x0000000074F1B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1784-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1796-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1868-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1912-59-0x0000000000000000-mapping.dmp
      Download