Overview

overview

8

Static

static

0c7da96256...6e.exe

windows7-x64

8

0c7da96256...6e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 19:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c7da962567056d8d9688698a39eff5df8d36b335a04120d0870f38d3d02eb6e.exe

  • Size

    365KB

  • MD5

    81acc794a9f04507c049544e00752a80

  • SHA1

    10db232ab88dc2a91946554ffb629f1b4bfdee06

  • SHA256

    0c7da962567056d8d9688698a39eff5df8d36b335a04120d0870f38d3d02eb6e

  • SHA512

    bba06ecb5470c2aae09689f99552271223eccc457c2eb545955456f61410997901f26ff2fd6eeb5bef9d670239040978191c57248736cdef46d3d93862ffd8ab

  • SSDEEP

    6144:Vjbei1tqLJmjP3Lt4fV4GIht/6GjxjiGJ3usiZNd2kMBYBtsrpGl6Bp6Drb:Vuzw1494GIhUIZJgvY/BYnOuPb

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c7da962567056d8d9688698a39eff5df8d36b335a04120d0870f38d3d02eb6e.exe
    "C:\Users\Admin\AppData\Local\Temp\0c7da962567056d8d9688698a39eff5df8d36b335a04120d0870f38d3d02eb6e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m2008.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m2008.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 796
        3⤵
        • Program crash
        PID:2556
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\UNINSTAL.BAT
        3⤵
          PID:664
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\C1.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\C1.exe
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4296
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C1.exe_deleteme.bat
          3⤵
            PID:2828
      • C:\Windows\system\system.ini
        C:\Windows\system\system.ini
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3344
        • C:\Program Files\Internet Explorer\ieXpLoRe.EXe
          "C:\Program Files\Internet Explorer\ieXpLoRe.EXe"
          2⤵
            PID:3396
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1344 -ip 1344
          1⤵
            PID:3592

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\C1.exe
            Filesize

            77KB

            MD5

            a83590f5e73f660d394dcf8905854a0e

            SHA1

            84119a0328535a2903141a01633a7f5f382e99b9

            SHA256

            15ae76691f012bfe18c8d0633d61f6d445aa40a5894e9805e0fce2539a391aba

            SHA512

            15dab74680c7d8d162da44c6696c9ea2ea9957a525bf54be6e7e10165b1ed4ab05b609d44187e959adfda32c03fc30bcbecf56675139770f0a807c3d0889dfb3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\C1.exe
            Filesize

            77KB

            MD5

            a83590f5e73f660d394dcf8905854a0e

            SHA1

            84119a0328535a2903141a01633a7f5f382e99b9

            SHA256

            15ae76691f012bfe18c8d0633d61f6d445aa40a5894e9805e0fce2539a391aba

            SHA512

            15dab74680c7d8d162da44c6696c9ea2ea9957a525bf54be6e7e10165b1ed4ab05b609d44187e959adfda32c03fc30bcbecf56675139770f0a807c3d0889dfb3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\C1.exe_deleteme.bat
            Filesize

            146B

            MD5

            24f4352b08d75149eb937b64c37758c4

            SHA1

            0c6920512a0bfea41a49ed43f5433eb9ad9528f7

            SHA256

            f28f4af7683a0de791939abf66a72f281a7dd544fdb9d074006db5d98c41aaec

            SHA512

            835dc4fdaceeb5e614ab069a31d27b253a3199f1e2bae8ac13d46fe89c21a9cd62e49991615725591bb54e274daedfebf3b56b7e839e165a31e1ead2221ef5b8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m2008.exe
            Filesize

            297KB

            MD5

            875e70f177b4aedef54c41e02914d789

            SHA1

            411747c529d8495fc3c4047c7f3d241a87581bd8

            SHA256

            9fb06cdaad28e5e720d844b05e7ab4517601d032a78c7d09ffb5ce04557503fd

            SHA512

            a7a21be6ec4d80b07eb4898896e2a5cc8099a07430aafbf46b682398572781bd72005ac06d5a52f22b5f6d3137e20782aea4f45444caa67a5ec50d7ae379f94d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m2008.exe
            Filesize

            297KB

            MD5

            875e70f177b4aedef54c41e02914d789

            SHA1

            411747c529d8495fc3c4047c7f3d241a87581bd8

            SHA256

            9fb06cdaad28e5e720d844b05e7ab4517601d032a78c7d09ffb5ce04557503fd

            SHA512

            a7a21be6ec4d80b07eb4898896e2a5cc8099a07430aafbf46b682398572781bd72005ac06d5a52f22b5f6d3137e20782aea4f45444caa67a5ec50d7ae379f94d

            Download Submit

          • C:\Windows\System\system.ini
            Filesize

            297KB

            MD5

            875e70f177b4aedef54c41e02914d789

            SHA1

            411747c529d8495fc3c4047c7f3d241a87581bd8

            SHA256

            9fb06cdaad28e5e720d844b05e7ab4517601d032a78c7d09ffb5ce04557503fd

            SHA512

            a7a21be6ec4d80b07eb4898896e2a5cc8099a07430aafbf46b682398572781bd72005ac06d5a52f22b5f6d3137e20782aea4f45444caa67a5ec50d7ae379f94d

            Download Submit

          • C:\Windows\UNINSTAL.BAT
            Filesize

            154B

            MD5

            818b8c7c16c990aeda1386f3e43b234a

            SHA1

            1b47eb6ab82c734d10be2852690fb73d694a5824

            SHA256

            9b335c0aaa9ab9644b748e4ab8d5884114cf28ef36989795111bd29f7b8fbf1b

            SHA512

            4366e5e34a97536a189a3556bb38696104e3560dfbae2de04d60fe50dd13f72c95895aff055c6fc73571b30a57f52058e9319e23dbb70eea12355b2408bcb697

            Download Submit

          • C:\Windows\system\system.ini
            Filesize

            297KB

            MD5

            875e70f177b4aedef54c41e02914d789

            SHA1

            411747c529d8495fc3c4047c7f3d241a87581bd8

            SHA256

            9fb06cdaad28e5e720d844b05e7ab4517601d032a78c7d09ffb5ce04557503fd

            SHA512

            a7a21be6ec4d80b07eb4898896e2a5cc8099a07430aafbf46b682398572781bd72005ac06d5a52f22b5f6d3137e20782aea4f45444caa67a5ec50d7ae379f94d

            Download Submit

          • memory/532-135-0x0000000001000000-0x000000000105E208-memory.dmp

            Filesize

            376KB

            Download

          • memory/532-148-0x0000000001000000-0x000000000105E208-memory.dmp

            Filesize

            376KB

            Download

          • memory/1344-136-0x0000000000400000-0x00000000005111B0-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3344-140-0x0000000000400000-0x00000000005111B0-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3344-139-0x0000000000400000-0x00000000005111B0-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/4296-146-0x0000000000400000-0x000000000041B200-memory.dmp

            Filesize

            108KB

            Download