Overview

overview

6

Static

static

b4d0a40971...df.exe

windows7-x64

6

b4d0a40971...df.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 22:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4d0a4097189f2c208c40b2808290a3003f5f1f3ff4756f2d24a2eb8b18d60df.exe

  • Size

    168KB

  • MD5

    4f48e7fb500fa1c4b97bca7f7f59a916

  • SHA1

    2ce9f6ac575e6f4bd5165b69e825c6d3acbb6deb

  • SHA256

    b4d0a4097189f2c208c40b2808290a3003f5f1f3ff4756f2d24a2eb8b18d60df

  • SHA512

    57363314ec77ffe92eb5f18534953e62e1c1dada28dc2355338f83db379b5f7aeea7822c6a86440bc890ed2d62715b1003abb243b602c8d483b38e3560a4663e

  • SSDEEP

    3072:06Nt+nzwyPzr6CXPawfF3J+1PkB4PU0RKucNkDKAF7Z:NNKzdPzGCXPawN+PxguikKAFN

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4d0a4097189f2c208c40b2808290a3003f5f1f3ff4756f2d24a2eb8b18d60df.exe
    "C:\Users\Admin\AppData\Local\Temp\b4d0a4097189f2c208c40b2808290a3003f5f1f3ff4756f2d24a2eb8b18d60df.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3796
    • C:\Users\Admin\AppData\Local\Temp\b4d0a4097189f2c208c40b2808290a3003f5f1f3ff4756f2d24a2eb8b18d60df.exe
      "C:\Users\Admin\AppData\Local\Temp\b4d0a4097189f2c208c40b2808290a3003f5f1f3ff4756f2d24a2eb8b18d60df.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3628
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3780
        • C:\Windows\SysWOW64\mspaint.exe
          "C:\Windows\system32\mspaint.exe"
          4⤵
          • Adds Run key to start application
          • Enumerates connected drives
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3552
      • C:\Users\Admin\AppData\Local\Temp\b4d0a4097189f2c208c40b2808290a3003f5f1f3ff4756f2d24a2eb8b18d60df.exe
        "C:\Users\Admin\AppData\Local\Temp\b4d0a4097189f2c208c40b2808290a3003f5f1f3ff4756f2d24a2eb8b18d60df.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:452
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4716
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4716 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2964
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
    1⤵
      PID:5040

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      e32d02ce684c01ef3af05fae9066160e

      SHA1

      29c7a6e8ed553ac2765634265d1db041d6d422ec

      SHA256

      b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

      SHA512

      e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      dc3b27b7181f47f11952ae6211193217

      SHA1

      811370a3f5e062e09b02ea1155cd5812d8f13c06

      SHA256

      15be03fade33094f10a56869b743ad173d96abc5890238f5dbef64d8aa252ac2

      SHA512

      068b223f011910bbc01994b301b0fc9178255d3177602e9affd69c936ac5062134d0f33590a57a8334b98b3f1b48658ee2b62858d66dc25c4e55070da3c7aeb5

      Download Submit

    • memory/452-146-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/452-145-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/452-139-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/452-138-0x0000000000000000-mapping.dmp

      Download

    • memory/452-142-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/3552-149-0x00000000034F0000-0x000000000353E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/3552-141-0x0000000000000000-mapping.dmp

      Download

    • memory/3552-148-0x00000000034F0000-0x000000000353E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/3628-143-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3628-134-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3628-133-0x0000000000000000-mapping.dmp

      Download

    • memory/3780-144-0x00000000012D0000-0x00000000012F1000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3780-147-0x0000000003560000-0x00000000035AE000-memory.dmp

      Filesize

      312KB

      Download

    • memory/3780-137-0x0000000000000000-mapping.dmp

      Download

    • memory/3796-132-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3796-136-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download