Overview

overview

10

Static

static

43c15d789a...03.exe

windows7-x64

10

43c15d789a...03.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    137s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-10-2022 18:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43c15d789aab951b882d293db5505233235f83d7099d8e7469729b51d3569903.exe

  • Size

    189KB

  • MD5

    0c06f3adab5e71787a442444fc01dfa4

  • SHA1

    d42133d5a3a20dcff8bef9b258e26cd27ff8e8f1

  • SHA256

    43c15d789aab951b882d293db5505233235f83d7099d8e7469729b51d3569903

  • SHA512

    c167dd3210db76762907ae4d848f4c28b51db0b36f8b3652fa71b5d99837b78790542295036864699f4a37abc208cf6e65d60a3c13113f6f5676eb233acf8953

  • SSDEEP

    3072:S8RhaJGIXTFWchPO9zGy6IY0pvPXK61d7q4ExsHOMLDylIwuor2hn2:/aFMchm9G2PXK6X9ExADEIa

Score
10/10
evasion

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 26 IoCs
    evasion
  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Uses the VBS compiler for execution 1 TTPs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:460
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\43c15d789aab951b882d293db5505233235f83d7099d8e7469729b51d3569903.exe
      "C:\Users\Admin\AppData\Local\Temp\43c15d789aab951b882d293db5505233235f83d7099d8e7469729b51d3569903.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1348
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        3⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:672
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
            PID:1820

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \systemroot\Installer\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\@
      Filesize

      2KB

      MD5

      d6956dd78953b824ca410b5eb73440ad

      SHA1

      ec5adfe55ad97f240abc8556a510929d34111cf1

      SHA256

      beaf61d897f13ceb88897383e1b511b6baa0e567d6d8c8d3c8aff417b0c1a313

      SHA512

      a457cc92f0aad8a315a9cee389b699112efb4d84ede819b97b5f0240a322cfbeccbac755cbac17bd563ada75818482025620e3c688fda999a05f746be6b5afdc

      Download Submit

    • memory/460-75-0x00000000000F0000-0x00000000000FB000-memory.dmp

      Filesize

      44KB

      Download

    • memory/460-73-0x00000000000F0000-0x00000000000FB000-memory.dmp

      Filesize

      44KB

      Download

    • memory/460-76-0x0000000000130000-0x000000000013F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/460-74-0x0000000000130000-0x000000000013F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/460-62-0x0000000000120000-0x000000000012F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/460-66-0x0000000000120000-0x000000000012F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/460-70-0x0000000000120000-0x000000000012F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/672-56-0x0000000000401914-mapping.dmp

      Download

    • memory/672-55-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/672-72-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/672-58-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/672-78-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1348-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1348-59-0x0000000074220000-0x00000000747CB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1820-77-0x0000000000000000-mapping.dmp

      Download