Overview

overview

10

Static

static

d82dc4cf97...34.exe

windows7-x64

10

d82dc4cf97...34.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    108s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-10-2022 21:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d82dc4cf97d2779df8cfe898f68f1ed5b41061dfb49dc27cb4c918c1d86fc434.exe

  • Size

    134KB

  • MD5

    a206d372e370d3cdc4fa9067919fecf7

  • SHA1

    6e1a67dcd50d64d8f3fd735a16f0d80da4232ca6

  • SHA256

    d82dc4cf97d2779df8cfe898f68f1ed5b41061dfb49dc27cb4c918c1d86fc434

  • SHA512

    b4604c0f44ce859bff05fecce543b684a7ded1b8178c06865f416b5305075260ee27be18affe35694edda44cc00001331468fa1268782add7c164f50993c63c6

  • SSDEEP

    3072:QP3gvKzyxfgE/Fjp51M5K5yUH+khurNqkKHtBl63ihwm59dZ6:QP3gvKA3bry4+kheYkKN70+9d4

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 22 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Unexpected DNS network traffic destination 9 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Modifies registry class 6 IoCs
  • NTFS ADS 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:460
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1404
    • C:\Users\Admin\AppData\Local\Temp\d82dc4cf97d2779df8cfe898f68f1ed5b41061dfb49dc27cb4c918c1d86fc434.exe
      "C:\Users\Admin\AppData\Local\Temp\d82dc4cf97d2779df8cfe898f68f1ed5b41061dfb49dc27cb4c918c1d86fc434.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Users\Admin\AppData\Local\Temp\d82dc4cf97d2779df8cfe898f68f1ed5b41061dfb49dc27cb4c918c1d86fc434.exe
        "C:\Users\Admin\AppData\Local\Temp\d82dc4cf97d2779df8cfe898f68f1ed5b41061dfb49dc27cb4c918c1d86fc434.exe"
        3⤵
        • Modifies security service
        • Registers COM server for autorun
        • Drops file in Program Files directory
        • Modifies registry class
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2032

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\@
    Filesize

    2KB

    MD5

    85514fb75cc6039c65be16b67e4fd8ee

    SHA1

    c080ce99cb06075e15582da8aad8bb104c125572

    SHA256

    b1fdffe5704d29f7b4e4b560492d935d553adb8c6d9a63399bea17c2f25206c7

    SHA512

    e2fc08083e1a67c900e4a517d93f2b61bb648f9a0297ef2e2c1e863afd386e7269ea9d20b54c1a2f256421314993874576ffa89559598ec032d86ae9b04f9660

    Download Submit

  • C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n
    Filesize

    41KB

    MD5

    fb4e3236959152a057bc6b7603c538ef

    SHA1

    b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

    SHA256

    8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

    SHA512

    993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

    Download Submit

  • C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n
    Filesize

    41KB

    MD5

    fb4e3236959152a057bc6b7603c538ef

    SHA1

    b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

    SHA256

    8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

    SHA512

    993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

    Download Submit

  • \$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n
    Filesize

    41KB

    MD5

    fb4e3236959152a057bc6b7603c538ef

    SHA1

    b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

    SHA256

    8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

    SHA512

    993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

    Download Submit

  • \$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n
    Filesize

    41KB

    MD5

    fb4e3236959152a057bc6b7603c538ef

    SHA1

    b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

    SHA256

    8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

    SHA512

    993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

    Download Submit

  • memory/1980-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1980-55-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2032-56-0x0000000000000000-mapping.dmp

    Download

  • memory/2032-63-0x0000000000240000-0x0000000000256000-memory.dmp

    Filesize

    88KB

    Download