Overview

overview

10

Static

static

c5682064b4...08.exe

windows7-x64

10

c5682064b4...08.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    105s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2022, 09:39

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c5682064b4648fab164acf1776f1be0020c4c42200846904b177adf3406cbb08.exe

  • Size

    205KB

  • MD5

    6e279a56d202152d66cd02c584835363

  • SHA1

    ee2fc56daa3c6cdd20a770ec3585cbb916ea8fea

  • SHA256

    c5682064b4648fab164acf1776f1be0020c4c42200846904b177adf3406cbb08

  • SHA512

    b2b1692913cac838d4aa6b30d02413fe982cc6faf88f9f342f1ea0ec836e61675ea1f077bcf0a92de756b90cf2c3ade7f0d63de2b8d4d31368ba6f6df1c52e94

  • SSDEEP

    3072:r6sncMXgul/ylVLMquCXK3LpNrtWZRUmcxnTFAW6y3THw749ZgwZ+EsaeOmag6Y:r3FX9L8a3BWZu544MwZOLcg

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies security service 2 TTPs 14 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Unexpected DNS network traffic destination 9 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Modifies registry class 6 IoCs
  • NTFS ADS 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Modifies security service
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:460
  • C:\Users\Admin\AppData\Local\Temp\c5682064b4648fab164acf1776f1be0020c4c42200846904b177adf3406cbb08.exe
    "C:\Users\Admin\AppData\Local\Temp\c5682064b4648fab164acf1776f1be0020c4c42200846904b177adf3406cbb08.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Users\Admin\AppData\Local\Temp\c5682064b4648fab164acf1776f1be0020c4c42200846904b177adf3406cbb08.exe
      "C:\Users\Admin\AppData\Local\Temp\c5682064b4648fab164acf1776f1be0020c4c42200846904b177adf3406cbb08.exe"
      2⤵
      • Modifies security service
      • Registers COM server for autorun
      • Drops file in Program Files directory
      • Modifies registry class
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1944
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1412

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\@
          Filesize

          2KB

          MD5

          108b4458af26ca878ea9b7928fd45434

          SHA1

          db63218f0382f3f3efa98afaa57af1bac7c49371

          SHA256

          cd6e8f688a0f6485c0b835ba7d2ba622cd04c43d30e6123da8d5f26e4e881409

          SHA512

          3e0fa86d04d330b466cd6a6a5e86b03ad3d7c506881a3626f29918cbac5a588b057e2b20f900b1d0d48f4c0688511c267473a9076bef983823275c37d222207b

          Download Submit

        • C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n
          Filesize

          25KB

          MD5

          9e0cd37b6d0809cf7d5fa5b521538d0d

          SHA1

          411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

          SHA256

          55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

          SHA512

          b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

          Download Submit

        • C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n
          Filesize

          25KB

          MD5

          9e0cd37b6d0809cf7d5fa5b521538d0d

          SHA1

          411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

          SHA256

          55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

          SHA512

          b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

          Download Submit

        • \$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n
          Filesize

          25KB

          MD5

          9e0cd37b6d0809cf7d5fa5b521538d0d

          SHA1

          411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

          SHA256

          55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

          SHA512

          b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

          Download Submit

        • \$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n
          Filesize

          25KB

          MD5

          9e0cd37b6d0809cf7d5fa5b521538d0d

          SHA1

          411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

          SHA256

          55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

          SHA512

          b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

          Download Submit

        • memory/832-59-0x0000000000590000-0x00000000005B5000-memory.dmp

          Filesize

          148KB

          Download

        • memory/832-54-0x0000000075091000-0x0000000075093000-memory.dmp

          Filesize

          8KB

          Download

        • memory/832-58-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/832-55-0x0000000000590000-0x00000000005B5000-memory.dmp

          Filesize

          148KB

          Download

        • memory/832-74-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/832-75-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/832-76-0x0000000000590000-0x00000000005B5000-memory.dmp

          Filesize

          148KB

          Download

        • memory/1944-60-0x00000000002AA000-0x00000000002CF000-memory.dmp

          Filesize

          148KB

          Download

        • memory/1944-65-0x00000000004A0000-0x00000000004DC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/1944-69-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1944-70-0x00000000002AA000-0x00000000002CF000-memory.dmp

          Filesize

          148KB

          Download