Overview

overview

10

Static

static

794129e652...9c.exe

windows7-x64

10

794129e652...9c.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    68s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    794129e6525495a01d888ac4f03378fc6dc7f48abf842c1af7dd455a201ac49c.exe

  • Size

    125KB

  • MD5

    0d877e5596148ea2518276010d825392

  • SHA1

    6673b830650834db609dbcaff8c6bedb77bd701e

  • SHA256

    794129e6525495a01d888ac4f03378fc6dc7f48abf842c1af7dd455a201ac49c

  • SHA512

    16fcd229c5bc7f8a5ddb1096b6169581ee3efee203b8a027f0ba914d4796d6b5aaa418e83f90a862f530d838c0be8861a394a2496b8a4a3bea1a52f85bb4c9eb

  • SSDEEP

    3072:T3tNkPGemOiwVn8ixLBlzies0k1NLYMm6oa+mUpsW:Td4mOpthY1lYMBGp

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies security service 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Unexpected DNS network traffic destination 9 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Modifies registry class 6 IoCs
  • NTFS ADS 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:464
  • C:\Users\Admin\AppData\Local\Temp\794129e6525495a01d888ac4f03378fc6dc7f48abf842c1af7dd455a201ac49c.exe
    "C:\Users\Admin\AppData\Local\Temp\794129e6525495a01d888ac4f03378fc6dc7f48abf842c1af7dd455a201ac49c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Local\Temp\794129e6525495a01d888ac4f03378fc6dc7f48abf842c1af7dd455a201ac49c.exe
      "C:\Users\Admin\AppData\Local\Temp\794129e6525495a01d888ac4f03378fc6dc7f48abf842c1af7dd455a201ac49c.exe"
      2⤵
      • Modifies security service
      • Registers COM server for autorun
      • Drops file in Program Files directory
      • Modifies registry class
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1888
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1264

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-18\$a31e499c3c7c222a40fd7fc6e142514c\@
    Filesize

    2KB

    MD5

    a6740d1cc56425cde11a0992051bedaa

    SHA1

    04ce0192323b8919c91d128b135d02d9715c4279

    SHA256

    35b457a5dba3c252191718660e3dc8c164976e22db6446f2539d37b6ecedba16

    SHA512

    1fa2ba780d74ee09442d3504249d738bdd556ab28407d3416ea95ce635c2ba78172358a3b0e77d5909072c0164e9172173429fc9459969b7b9bffc84d5f4d355

    Download Submit

  • C:\$Recycle.Bin\S-1-5-18\$a31e499c3c7c222a40fd7fc6e142514c\n
    Filesize

    41KB

    MD5

    fb4e3236959152a057bc6b7603c538ef

    SHA1

    b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

    SHA256

    8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

    SHA512

    993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

    Download Submit

  • C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\$a31e499c3c7c222a40fd7fc6e142514c\n
    Filesize

    41KB

    MD5

    fb4e3236959152a057bc6b7603c538ef

    SHA1

    b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

    SHA256

    8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

    SHA512

    993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

    Download Submit

  • \$Recycle.Bin\S-1-5-18\$a31e499c3c7c222a40fd7fc6e142514c\n
    Filesize

    41KB

    MD5

    fb4e3236959152a057bc6b7603c538ef

    SHA1

    b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

    SHA256

    8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

    SHA512

    993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

    Download Submit

  • \$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\$a31e499c3c7c222a40fd7fc6e142514c\n
    Filesize

    41KB

    MD5

    fb4e3236959152a057bc6b7603c538ef

    SHA1

    b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4

    SHA256

    8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0

    SHA512

    993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

    Download Submit

  • memory/1888-63-0x00000000002A0000-0x00000000002DC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1888-68-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2004-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2004-55-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2004-67-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2004-71-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download