Overview

overview

8

Static

static

2ac3d9f4a9...b6.exe

windows7-x64

8

2ac3d9f4a9...b6.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2022 04:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ac3d9f4a9e3f1df797173c0b23f675d6216278433623e5cd42f37109349acb6.exe

  • Size

    173KB

  • MD5

    8a81d5ee862c03d0647b951a3a8e9cab

  • SHA1

    6292550c08a81a854c4f680132a8fb1d1b83d3bd

  • SHA256

    2ac3d9f4a9e3f1df797173c0b23f675d6216278433623e5cd42f37109349acb6

  • SHA512

    5c45add4ae920333598aadc3eca24409ccc7be42dd784f8877f64915dff8692701b6f330c35a8ccc00eebe42b1d53e7714674cf438eba72ab0d836fce35362ba

  • SSDEEP

    3072:RGKnHomHIEEfcOU14w2BmqUZPnAaeN9BAlxLUzCuGN/AcnUM3N8v7maUJ4:oKTHIEEfrM2zURsNDAlxAzC1CSDN8v7q

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs 3 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ac3d9f4a9e3f1df797173c0b23f675d6216278433623e5cd42f37109349acb6.exe
    "C:\Users\Admin\AppData\Local\Temp\2ac3d9f4a9e3f1df797173c0b23f675d6216278433623e5cd42f37109349acb6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Users\Admin\AppData\Local\Temp\2ac3d9f4a9e3f1df797173c0b23f675d6216278433623e5cd42f37109349acb6.exe
      "C:\Users\Admin\AppData\Local\Temp\2ac3d9f4a9e3f1df797173c0b23f675d6216278433623e5cd42f37109349acb6.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\processing_win.exe
        "C:\Windows\processing_win.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\processing_win.exe
          "C:\Windows\processing_win.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1528
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall delete rule profile=any name=Win2y2
            5⤵
            • Modifies Windows Firewall
            PID:660
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=out name=Win2y2 program="C:\Windows\processing_win.exe"
            5⤵
            • Modifies Windows Firewall
            PID:1680
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name=Win2y2 program="C:\Windows\processing_win.exe"
            5⤵
            • Modifies Windows Firewall
            PID:692

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\processing_win.exe
    Filesize

    173KB

    MD5

    8a81d5ee862c03d0647b951a3a8e9cab

    SHA1

    6292550c08a81a854c4f680132a8fb1d1b83d3bd

    SHA256

    2ac3d9f4a9e3f1df797173c0b23f675d6216278433623e5cd42f37109349acb6

    SHA512

    5c45add4ae920333598aadc3eca24409ccc7be42dd784f8877f64915dff8692701b6f330c35a8ccc00eebe42b1d53e7714674cf438eba72ab0d836fce35362ba

    Download Submit

  • C:\Windows\processing_win.exe
    Filesize

    173KB

    MD5

    8a81d5ee862c03d0647b951a3a8e9cab

    SHA1

    6292550c08a81a854c4f680132a8fb1d1b83d3bd

    SHA256

    2ac3d9f4a9e3f1df797173c0b23f675d6216278433623e5cd42f37109349acb6

    SHA512

    5c45add4ae920333598aadc3eca24409ccc7be42dd784f8877f64915dff8692701b6f330c35a8ccc00eebe42b1d53e7714674cf438eba72ab0d836fce35362ba

    Download Submit

  • C:\Windows\processing_win.exe
    Filesize

    173KB

    MD5

    8a81d5ee862c03d0647b951a3a8e9cab

    SHA1

    6292550c08a81a854c4f680132a8fb1d1b83d3bd

    SHA256

    2ac3d9f4a9e3f1df797173c0b23f675d6216278433623e5cd42f37109349acb6

    SHA512

    5c45add4ae920333598aadc3eca24409ccc7be42dd784f8877f64915dff8692701b6f330c35a8ccc00eebe42b1d53e7714674cf438eba72ab0d836fce35362ba

    Download Submit

  • memory/660-95-0x0000000000000000-mapping.dmp

    Download

  • memory/692-97-0x0000000000000000-mapping.dmp

    Download

  • memory/784-55-0x00000000002A0000-0x00000000002A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/784-54-0x0000000000B40000-0x0000000000B72000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1528-99-0x0000000013140000-0x000000001316B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1528-88-0x00000000131596AC-mapping.dmp

    Download

  • memory/1528-103-0x0000000013140000-0x000000001316B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1680-96-0x0000000000000000-mapping.dmp

    Download

  • memory/1732-75-0x00000000008A0000-0x00000000008D2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1732-72-0x0000000000000000-mapping.dmp

    Download

  • memory/2012-63-0x0000000013140000-0x000000001316B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2012-71-0x0000000013140000-0x000000001316B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2012-70-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2012-69-0x0000000013140000-0x000000001316B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2012-67-0x0000000013140000-0x000000001316B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2012-68-0x00000000131596AC-mapping.dmp

    Download

  • memory/2012-66-0x0000000013140000-0x000000001316B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2012-64-0x0000000013140000-0x000000001316B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2012-61-0x0000000013140000-0x000000001316B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2012-59-0x0000000013140000-0x000000001316B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2012-98-0x0000000013140000-0x000000001316B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2012-57-0x0000000013140000-0x000000001316B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2012-56-0x0000000013140000-0x000000001316B000-memory.dmp

    Filesize

    172KB

    Download