Overview

overview

10

Static

static

cda0cb962a...1a.exe

windows7-x64

10

cda0cb962a...1a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2022 05:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cda0cb962af2a61d7a0847b7c7e8a7d083e86c1a52d1d1ab4a8a472c80a9111a.exe

  • Size

    152KB

  • MD5

    a2b85a6ffe8860bd14e22239d6790133

  • SHA1

    17d4bb76001f745d034e255264427792267f4ca9

  • SHA256

    cda0cb962af2a61d7a0847b7c7e8a7d083e86c1a52d1d1ab4a8a472c80a9111a

  • SHA512

    7faf4f111896a01d20f6c81aca974ad2c28531569b25adaa33ff30c0ba8d1c445146b8a76aec24b7e623f25b994ba3de6d24a61888a76adeb603ddca6825cf6b

  • SSDEEP

    1536:D3wo0rK5iX/3PjPozbSdHjWTMHPf+3AAuOsIdCH/NYJXLhA5Eq26g4SEx857Zp4y:D3wnrK5i371O3jO5i6g4SESBQTqj5

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Loads dropped DLL 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\cda0cb962af2a61d7a0847b7c7e8a7d083e86c1a52d1d1ab4a8a472c80a9111a.exe
    "C:\Users\Admin\AppData\Local\Temp\cda0cb962af2a61d7a0847b7c7e8a7d083e86c1a52d1d1ab4a8a472c80a9111a.exe"
    1⤵
    • UAC bypass
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1824
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\cda0cb962af2a61d7a0847b7c7e8a7d083e86c1a52d1d1ab4a8a472c80a9111a.exe"
      2⤵
        PID:4248

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\WinSocketA.dll
      Filesize

      74KB

      MD5

      714b43b051b283b47631f20cb5938a07

      SHA1

      92d68beaeaf77874e2eed2fb9b8ff1fd9c70b030

      SHA256

      80b624af653caad200d35f753b5a5c37f1258efa2f09b07f8fd1679a5dc670c1

      SHA512

      7d6e1eeccec576c61dc9411af183cae4799da3851f30ad9cf56f285b5f4d08e98ad3a0c4d8ee201a61c48b400efefc3c019e22a52acd835e87924dc25a609c55

      Download Submit

    • memory/1824-132-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1824-135-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4248-134-0x0000000000000000-mapping.dmp

      Download