Overview

overview

10

Static

static

da9ee958ba...37.exe

windows7-x64

10

da9ee958ba...37.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    109s
  • max time network
    169s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2022 03:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da9ee958ba0d0a5df96fe09b4a71e6226919e538ae1d477b5ce53ff39324e337.exe

  • Size

    206KB

  • MD5

    33e6bb33eec6c2164bf159e828b66965

  • SHA1

    a8d6d15d2675fc511dabdd0380cbc8b248c75688

  • SHA256

    da9ee958ba0d0a5df96fe09b4a71e6226919e538ae1d477b5ce53ff39324e337

  • SHA512

    ac5f234e7098bfd280e91a6e796f4267e5e6dcb210f4593b69e63bce9908ba074a8114a068fe32b24f101b2931d1db78dc4a0a9f8ea6c9242e0a8581be25ed7c

  • SSDEEP

    3072:p9xbvI3tMJKDJDu2WE7ZG1SnkOT94qxkuM70bnSs5SU28+NRybbNmK20RDRu3D:p9xUtVDBu2NZG1qFiqZz35SxqpmKvuT

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 22 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Unexpected DNS network traffic destination 9 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Modifies registry class 6 IoCs
  • NTFS ADS 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:464
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1384
    • C:\Users\Admin\AppData\Local\Temp\da9ee958ba0d0a5df96fe09b4a71e6226919e538ae1d477b5ce53ff39324e337.exe
      "C:\Users\Admin\AppData\Local\Temp\da9ee958ba0d0a5df96fe09b4a71e6226919e538ae1d477b5ce53ff39324e337.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Users\Admin\AppData\Local\Temp\da9ee958ba0d0a5df96fe09b4a71e6226919e538ae1d477b5ce53ff39324e337.exe
        "C:\Users\Admin\AppData\Local\Temp\da9ee958ba0d0a5df96fe09b4a71e6226919e538ae1d477b5ce53ff39324e337.exe"
        3⤵
        • Modifies security service
        • Registers COM server for autorun
        • Drops file in Program Files directory
        • Modifies registry class
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1640

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\@
    Filesize

    2KB

    MD5

    fe12a5ce6727a51281f447ad8fb0f46b

    SHA1

    07451f622dedde0d50079f893d9da3f436a9baff

    SHA256

    bf095ecc9cd1ba4d99b6e4e3bbca01013524fcbcfdff25205e7faacc2898262d

    SHA512

    e371d7cab925fe0b234434d8c68d397a7bcb2f16cda76c81afcfa0bf2be8b62565717202f3d021dd8281596107694d5e8d4827388a1815073d9ea58b62432bcc

    Download Submit

  • C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n
    Filesize

    25KB

    MD5

    9e0cd37b6d0809cf7d5fa5b521538d0d

    SHA1

    411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

    SHA256

    55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

    SHA512

    b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

    Download Submit

  • C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n
    Filesize

    25KB

    MD5

    9e0cd37b6d0809cf7d5fa5b521538d0d

    SHA1

    411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

    SHA256

    55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

    SHA512

    b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

    Download Submit

  • \$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n
    Filesize

    25KB

    MD5

    9e0cd37b6d0809cf7d5fa5b521538d0d

    SHA1

    411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

    SHA256

    55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

    SHA512

    b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

    Download Submit

  • \$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n
    Filesize

    25KB

    MD5

    9e0cd37b6d0809cf7d5fa5b521538d0d

    SHA1

    411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

    SHA256

    55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

    SHA512

    b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

    Download Submit

  • memory/1640-60-0x000000000057B000-0x00000000005A0000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1640-65-0x0000000000280000-0x0000000000296000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1640-68-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1640-69-0x000000000057B000-0x00000000005A0000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1640-75-0x000000000057B000-0x00000000005A0000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1692-59-0x0000000000630000-0x0000000000655000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1692-54-0x0000000075921000-0x0000000075923000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1692-58-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1692-55-0x0000000000630000-0x0000000000655000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1692-73-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1692-74-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download