Overview

overview

10

Static

static

f2954fdf4c...7e.exe

windows7-x64

10

f2954fdf4c...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/10/2022, 18:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2954fdf4c0828596c42034ea0d22762581b09bdc68874589f2dff85873bdc7e.exe

  • Size

    1.0MB

  • MD5

    05a798c3c5016cf081553ac0e320538b

  • SHA1

    da55d2ed0410ffb2ad04c7ac90dbde9ad0e17fa0

  • SHA256

    f2954fdf4c0828596c42034ea0d22762581b09bdc68874589f2dff85873bdc7e

  • SHA512

    29b2681b04063e1f62e79c64b93c840a259c3d64b2a6fb3d133fa821c9b32afb92cdd463951ff329c01d7daa5222afe245d5fba5cb7a50a110542175f9577ffd

  • SSDEEP

    24576:TmUNJyJqb1FcMap2ATT5XmUNJyJqb1FcMap2ATT5XmUNJyJqb1FcMap2ATT5:TmV2ApXmV2ApXmV2Ap

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2954fdf4c0828596c42034ea0d22762581b09bdc68874589f2dff85873bdc7e.exe
    "C:\Users\Admin\AppData\Local\Temp\f2954fdf4c0828596c42034ea0d22762581b09bdc68874589f2dff85873bdc7e.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:668
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • Suspicious behavior: EnumeratesProcesses
      PID:4832

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\apppatch\svchost.exe
    Filesize

    1.0MB

    MD5

    fb65b10d4d753aa30a6a58ba100525b4

    SHA1

    5e6600ffc6d1581082e1a9efe62b90b7f13a1b83

    SHA256

    27748b74bd2ed8985d6bb1444d35eeb4537cdadb3b247effd4d8e281df0b3d83

    SHA512

    4c4776293c9c8559efe6d7958a09d3071839aac1cc1383440a220661014df49cbaaae10d90440faf02b6440524f48d81e485b59ecbc8cf4f5817ea0562e9baac

    Download Submit

  • C:\Windows\apppatch\svchost.exe
    Filesize

    1.0MB

    MD5

    fb65b10d4d753aa30a6a58ba100525b4

    SHA1

    5e6600ffc6d1581082e1a9efe62b90b7f13a1b83

    SHA256

    27748b74bd2ed8985d6bb1444d35eeb4537cdadb3b247effd4d8e281df0b3d83

    SHA512

    4c4776293c9c8559efe6d7958a09d3071839aac1cc1383440a220661014df49cbaaae10d90440faf02b6440524f48d81e485b59ecbc8cf4f5817ea0562e9baac

    Download Submit

  • memory/4832-135-0x00000000026E0000-0x0000000002788000-memory.dmp

    Filesize

    672KB

    Download

  • memory/4832-136-0x0000000002B00000-0x0000000002BB6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4832-137-0x0000000002B00000-0x0000000002BB6000-memory.dmp

    Filesize

    728KB

    Download