Overview

overview

10

Static

static

9bd6ac740f...24.exe

windows7-x64

10

9bd6ac740f...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2022 09:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9bd6ac740f14d705d42547c16660905090307179696a814d34c1887649a0a624.exe

  • Size

    108KB

  • MD5

    708a212a9f142d9ee4306a99488959d5

  • SHA1

    44c9df0ee615bea35f19a053f3bd16e49e7e9fd1

  • SHA256

    9bd6ac740f14d705d42547c16660905090307179696a814d34c1887649a0a624

  • SHA512

    32cad6fac8fc5f1270af7bc503c5290de3b22ff2dc311ceaf983de9979159246ddba8de20db7cf6d94a6815adeb86d05f04e6e504553b374f0b47ddd0dbafaf1

  • SSDEEP

    1536:Q5eGqiOaTV+BA5uIpZo/QGoGG8betK4pkSQsVEj:Q5eRiO7GSuGGJ0V+Vm

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9bd6ac740f14d705d42547c16660905090307179696a814d34c1887649a0a624.exe
    "C:\Users\Admin\AppData\Local\Temp\9bd6ac740f14d705d42547c16660905090307179696a814d34c1887649a0a624.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\lsass.exe" CityScape Enable
      2⤵
      • Modifies Windows Firewall
      PID:4748
    • C:\Users\Admin\AppData\Roaming\lsass.exe
      /d C:\Users\Admin\AppData\Local\Temp\9bd6ac740f14d705d42547c16660905090307179696a814d34c1887649a0a624.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      PID:4792

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\lsass.exe
    Filesize

    108KB

    MD5

    ea2f870152e046f97678d9e4f3145859

    SHA1

    2913dbdfd32e9ce01c5545589280a6d46efc198f

    SHA256

    8982176c0f45e405c02f96bdc3e765d4e789f9110e0f9213a32f99e0826d8375

    SHA512

    9e3ceca914081b78f622751c4aaa5706fc35d82c78ab7829aa700143f31f77f9a09c02f6e999a9f651be3bb955074a71ae14aec1623218ec262b05fb74ee2253

    Download Submit

  • C:\Users\Admin\AppData\Roaming\lsass.exe
    Filesize

    108KB

    MD5

    ea2f870152e046f97678d9e4f3145859

    SHA1

    2913dbdfd32e9ce01c5545589280a6d46efc198f

    SHA256

    8982176c0f45e405c02f96bdc3e765d4e789f9110e0f9213a32f99e0826d8375

    SHA512

    9e3ceca914081b78f622751c4aaa5706fc35d82c78ab7829aa700143f31f77f9a09c02f6e999a9f651be3bb955074a71ae14aec1623218ec262b05fb74ee2253

    Download Submit