Overview

overview

10

Static

static

f00e36f455...55.exe

windows7-x64

10

f00e36f455...55.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    143s
  • max time network
    177s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2022 06:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f00e36f455dc30ab6dba68920646620800f1e88af0f598bc6de1a49085a01655.exe

  • Size

    164KB

  • MD5

    095a91cd81d393c2120f02a01bbc3e56

  • SHA1

    4fbcfac117a9416217b77eb7a235dfd543539ad8

  • SHA256

    f00e36f455dc30ab6dba68920646620800f1e88af0f598bc6de1a49085a01655

  • SHA512

    1a75d6e796fe6e1bf14bf9929bf377f149f9277a78fa5dce6889c185fc3f59cac7273954b608630275532b51badfb5c93913f0c36a91b4714211fece0f44777e

  • SSDEEP

    3072:YDdTI3CagDoa86z1J1cG6xHg67bOtyyaQgmkyEoRkxGtmwrKc3jAqTV:YDGyaaoaFJjcGigSbOtyybxkynRrJkqB

Score
10/10
evasion

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 26 IoCs
    evasion
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:464
  • C:\Users\Admin\AppData\Local\Temp\f00e36f455dc30ab6dba68920646620800f1e88af0f598bc6de1a49085a01655.exe
    "C:\Users\Admin\AppData\Local\Temp\f00e36f455dc30ab6dba68920646620800f1e88af0f598bc6de1a49085a01655.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1744
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1288

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \systemroot\Installer\{a31e499c-3c7c-222a-40fd-7fc6e142514c}\@
    Filesize

    2KB

    MD5

    8c5104281d8bcf08862b606bea874e3a

    SHA1

    1a803ce0f786b568be3c91c406495ae929eb3b27

    SHA256

    e403f94a639431efa2a6adb1910f70c93bcf3b43f07a90e3b612673a8e6b03fe

    SHA512

    4933b220c5d0e50927478d5dc53d8300a9cd6381020af34cb17ada34311b34a33a88a94f4176fd7d07a58bf5fdb770cb55a8acdd37847043960fc3c94218b23c

    Download Submit

  • memory/464-54-0x00000000001B0000-0x00000000001BF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/464-58-0x00000000001B0000-0x00000000001BF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/464-62-0x00000000001B0000-0x00000000001BF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/464-64-0x00000000001A0000-0x00000000001AB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/464-65-0x00000000001C0000-0x00000000001CF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/464-66-0x00000000001A0000-0x00000000001AB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/464-67-0x00000000001C0000-0x00000000001CF000-memory.dmp

    Filesize

    60KB

    Download