Overview

overview

10

Static

static

8e9b0007d2...c2.exe

windows7-x64

10

8e9b0007d2...c2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/10/2022, 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe

  • Size

    368KB

  • MD5

    22a16aac778046db0211063baf087f01

  • SHA1

    b4b956ed95e827e0f3fa6fb41e339119660121d1

  • SHA256

    8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2

  • SHA512

    8b45b35b593fffda272d361e5f5e1a2c413157e47055de18d3a5a4fc12952e6ffee5419159efb7653373aa7360277034f951ab39a8725c16815ea0ca8e6b281c

  • SSDEEP

    6144:T3EmWPDNND9yRPzLq+YXFqaZiMLic9kzVd7EAC4TSs9Ei/:gmWhND9yJz+b1FcMLmp2ATTSsd/

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe
    "C:\Users\Admin\AppData\Local\Temp\8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • Suspicious behavior: EnumeratesProcesses
      PID:840

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\apppatch\svchost.exe
    Filesize

    368KB

    MD5

    35292e1e4db9bb02642c8263a1e6ab0f

    SHA1

    b09c1a58d43b5c96bcb2b7794403c32f0c4169ba

    SHA256

    9fb2d3b0ae4f2ae5aa6b2a023a356102ab9215233e22a04c6fa13df50cd83857

    SHA512

    a24db9d5634f767411baea666b449907bf47003ffda79cbc947ccd3d8e2d9277f3e87b5363a6f0e6bbccbabf884a6d8678ad2d546c36587121107423e28f15fd

    Download Submit

  • C:\Windows\apppatch\svchost.exe
    Filesize

    368KB

    MD5

    35292e1e4db9bb02642c8263a1e6ab0f

    SHA1

    b09c1a58d43b5c96bcb2b7794403c32f0c4169ba

    SHA256

    9fb2d3b0ae4f2ae5aa6b2a023a356102ab9215233e22a04c6fa13df50cd83857

    SHA512

    a24db9d5634f767411baea666b449907bf47003ffda79cbc947ccd3d8e2d9277f3e87b5363a6f0e6bbccbabf884a6d8678ad2d546c36587121107423e28f15fd

    Download Submit

  • memory/840-135-0x00000000026E0000-0x0000000002788000-memory.dmp

    Filesize

    672KB

    Download

  • memory/840-136-0x0000000002B00000-0x0000000002BB6000-memory.dmp

    Filesize

    728KB

    Download