Overview

overview

10

Static

static

9456b715f9...97.exe

windows7-x64

10

9456b715f9...97.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    3s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2022 01:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9456b715f919abc7d0f41a8350a77796becb77e07117d9b3473230ace0801497.exe

  • Size

    220KB

  • MD5

    0001b91028e5793260732cc45e2aa5f0

  • SHA1

    395a735e189dc98e0e968278bc499c95c8e31579

  • SHA256

    9456b715f919abc7d0f41a8350a77796becb77e07117d9b3473230ace0801497

  • SHA512

    d382a3fc5543b9a8c0f138d12d307a7a062317a98cce83f39827a33f11d58173842b05bead451993876ac832cfc7441c3e8845d93e7d53071d1f7801713d92af

  • SSDEEP

    6144:A6FzEWejt9E0pk9wPZMD6bkSJErmhHCf/rneW/i:vZejtOUjZMD6btErmhE/ro

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies security service 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Unexpected DNS network traffic destination 9 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Modifies registry class 6 IoCs
  • NTFS ADS 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\9456b715f919abc7d0f41a8350a77796becb77e07117d9b3473230ace0801497.exe
      "C:\Users\Admin\AppData\Local\Temp\9456b715f919abc7d0f41a8350a77796becb77e07117d9b3473230ace0801497.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Users\Admin\AppData\Local\Temp\9456b715f919abc7d0f41a8350a77796becb77e07117d9b3473230ace0801497.exe
        "C:\Users\Admin\AppData\Local\Temp\9456b715f919abc7d0f41a8350a77796becb77e07117d9b3473230ace0801497.exe"
        3⤵
        • Modifies security service
        • Registers COM server for autorun
        • Drops file in Program Files directory
        • Modifies registry class
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1964

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\@
    Filesize

    2KB

    MD5

    6fe5aae8990fedc28159cadd4d90ef96

    SHA1

    addd35b92f591f29f7e91595c292822bf0a1ba84

    SHA256

    394743bdb88f4024e4d4f1267fd9b2b794eea435051a4f5846400916b55bcabf

    SHA512

    2acccdd6d23c169e818f649ee35be1139cff0f11f650a5ea9dfd53e489380e0e9a3133e2dfb7dfeee0d629cf465a225e5acc62f99e34adcf9188ae8db9c522e9

    Download Submit

  • C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n
    Filesize

    15KB

    MD5

    1cacb321a7014c1b83d9d64d7123df90

    SHA1

    0b7f0384a9bbb532540be387decdfb7c4fedad1d

    SHA256

    7791df3387fb97e9d8ac7a52df1ec1db9f6e3b1ec7dc03b4cc7b92079ae3a5a6

    SHA512

    951d550141d497b095269b8a5616888051354446ee5506a2236ad6881193e4ba097ccc7bf8253b67b1e408ed7863ff536104524f23e070861c3e31459d6e2377

    Download Submit

  • C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n
    Filesize

    25KB

    MD5

    9e0cd37b6d0809cf7d5fa5b521538d0d

    SHA1

    411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

    SHA256

    55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

    SHA512

    b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

    Download Submit

  • \$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n
    Filesize

    25KB

    MD5

    9e0cd37b6d0809cf7d5fa5b521538d0d

    SHA1

    411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

    SHA256

    55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

    SHA512

    b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

    Download Submit

  • \$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n
    Filesize

    25KB

    MD5

    9e0cd37b6d0809cf7d5fa5b521538d0d

    SHA1

    411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

    SHA256

    55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

    SHA512

    b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

    Download Submit

  • memory/1760-58-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1760-59-0x00000000005B3000-0x00000000005E0000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1760-54-0x0000000075281000-0x0000000075283000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1760-55-0x00000000005B3000-0x00000000005E0000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1964-65-0x0000000000290000-0x00000000002CC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1964-60-0x000000000032E000-0x000000000035B000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1964-56-0x0000000000000000-mapping.dmp

    Download

  • memory/1964-73-0x000000000032E000-0x000000000035B000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1964-72-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download