Overview

overview

8

Static

static

64238cd5ec...32.exe

windows7-x64

8

64238cd5ec...32.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    128s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2022 23:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64238cd5ecbe797ebea9eaa90000f96146dbab085a61f132d443d1a5ebf3fe32.exe

  • Size

    298KB

  • MD5

    bc54868a08a7d4336922e40b3d18abc5

  • SHA1

    f3221a414b42524d546cf51c18b0f8f239666167

  • SHA256

    64238cd5ecbe797ebea9eaa90000f96146dbab085a61f132d443d1a5ebf3fe32

  • SHA512

    d75204155b8f42e382ce9641216a02b28b0d2a52df7af0b4fc09988150fb92e166b70662baaf43d9f11d41b99096d35f6b10521f384b95bed3b7e5ea0465b667

  • SSDEEP

    6144:MIWOkp0pvb3FQSV68oPiNLF2Y3iDczBR2TG9UD2NNasWfou:hWOkp0pTV/6fPk2Y3iDc94yu2as

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\64238cd5ecbe797ebea9eaa90000f96146dbab085a61f132d443d1a5ebf3fe32.exe
        "C:\Users\Admin\AppData\Local\Temp\64238cd5ecbe797ebea9eaa90000f96146dbab085a61f132d443d1a5ebf3fe32.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Users\Admin\AppData\Roaming\Qaodo\wyveu.exe
          "C:\Users\Admin\AppData\Roaming\Qaodo\wyveu.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:960
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\SysWOW64\explorer.exe"
            4⤵
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:632
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe7aecf64.bat"
          3⤵
          • Deletes itself
          PID:760
    • C:\Program Files\Windows Mail\WinMail.exe
      "C:\Program Files\Windows Mail\WinMail.exe" -Embedding
      1⤵
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:764

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpe7aecf64.bat
      Filesize

      307B

      MD5

      835d5960f81f1b5200b2344e9b9413b1

      SHA1

      eb738e7afc549c8c1d8b4a9284a6e907a98a0ffa

      SHA256

      b64513226a6e670e5aabde90d4b9a8aa376bf94797edf6be7f25254fe03a3640

      SHA512

      f91811b0a2a0401ec7ed6764fadca4a21bacf0fa88d7ce791abdc8bce9f07425129a873091800f6e79a466dd7deb2d9419cedf8fb8fcbeab4b18127c1cc2a855

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Qaodo\wyveu.exe
      Filesize

      298KB

      MD5

      0c2b7328c3d3ca6d9f5936460a58114b

      SHA1

      af3f09807cff62c6271df2c803df895990ed85a6

      SHA256

      0c03e890803e89d7f2cbc07d1309b2c2ad098987f6c3525c36e0ac202d20fb91

      SHA512

      d819af05e6067e1baa045a11ed9d83565ca78c32b0715c136eeb5475977a58948e356ded40ba5008cc752b69e07c4979086f86fb4aa5e14c11a837de4e344e28

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Qaodo\wyveu.exe
      Filesize

      298KB

      MD5

      0c2b7328c3d3ca6d9f5936460a58114b

      SHA1

      af3f09807cff62c6271df2c803df895990ed85a6

      SHA256

      0c03e890803e89d7f2cbc07d1309b2c2ad098987f6c3525c36e0ac202d20fb91

      SHA512

      d819af05e6067e1baa045a11ed9d83565ca78c32b0715c136eeb5475977a58948e356ded40ba5008cc752b69e07c4979086f86fb4aa5e14c11a837de4e344e28

      Download Submit

    • \Users\Admin\AppData\Roaming\Qaodo\wyveu.exe
      Filesize

      298KB

      MD5

      0c2b7328c3d3ca6d9f5936460a58114b

      SHA1

      af3f09807cff62c6271df2c803df895990ed85a6

      SHA256

      0c03e890803e89d7f2cbc07d1309b2c2ad098987f6c3525c36e0ac202d20fb91

      SHA512

      d819af05e6067e1baa045a11ed9d83565ca78c32b0715c136eeb5475977a58948e356ded40ba5008cc752b69e07c4979086f86fb4aa5e14c11a837de4e344e28

      Download Submit

    • memory/632-66-0x0000000000000000-mapping.dmp

      Download

    • memory/632-86-0x0000000000100000-0x000000000012D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/632-83-0x0000000000100000-0x000000000012D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/632-68-0x0000000074041000-0x0000000074043000-memory.dmp

      Filesize

      8KB

      Download

    • memory/760-84-0x0000000000000000-mapping.dmp

      Download

    • memory/764-70-0x000007FEF6191000-0x000007FEF6193000-memory.dmp

      Filesize

      8KB

      Download

    • memory/764-69-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

      Filesize

      8KB

      Download

    • memory/764-71-0x0000000002370000-0x0000000002380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/764-77-0x00000000023D0000-0x00000000023E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/960-63-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/960-62-0x00000000021E0000-0x0000000002275000-memory.dmp

      Filesize

      596KB

      Download

    • memory/960-59-0x0000000000000000-mapping.dmp

      Download

    • memory/1948-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1948-56-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1948-55-0x0000000002080000-0x0000000002115000-memory.dmp

      Filesize

      596KB

      Download