Overview

overview

10

Static

static

ef17e6c129...4a.exe

windows7-x64

10

ef17e6c129...4a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2022, 21:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ef17e6c12998899420d6cac9ad16c64e490e156e7041577c7e94be740324f34a.exe

  • Size

    444KB

  • MD5

    53880143631f47c73526dbcb91831198

  • SHA1

    821ae3f70f4697a7c426cccf48914ed76adb15d5

  • SHA256

    ef17e6c12998899420d6cac9ad16c64e490e156e7041577c7e94be740324f34a

  • SHA512

    6d39d98c3a566bee09cd879dbef74fef41cf9a360c5ae8884de4ae8e6109dadc238005d975021bbeddfe73e38a45fd82f5aaa35572ca3363c87052a5e15e8239

  • SSDEEP

    6144:LY1Y+aAywEnRnei/wK9N58K5rRzZ4aPm2sJKiUY:LGrywkneiICNR5pC41

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef17e6c12998899420d6cac9ad16c64e490e156e7041577c7e94be740324f34a.exe
    "C:\Users\Admin\AppData\Local\Temp\ef17e6c12998899420d6cac9ad16c64e490e156e7041577c7e94be740324f34a.exe"
    1⤵
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Modifies WinLogon for persistence
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\lsass.exe" CityScape Enable
        3⤵
        • Modifies Windows Firewall
        PID:4296
      • C:\Users\Admin\AppData\Roaming\lsass.exe
        /d C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4752
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 924
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:5028

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\lsass.exe
          Filesize

          1.1MB

          MD5

          a0776a06c68c2759e639ecc05099b3d3

          SHA1

          afb581b876abdd5e9723b941be50996226201af3

          SHA256

          514d43ac00ef9e08ad6fcd3dc282a321cf84801221eb028990a08e2209169574

          SHA512

          bb43b2b66542bccfb38029514c23b445571d2375e814aaaaaee79891b0dc439e831608bc58192d34f90c2b66b6c36cda503c934baae6aa34d21c415c67436b76

          Download Submit

        • C:\Users\Admin\AppData\Roaming\lsass.exe
          Filesize

          1.1MB

          MD5

          a0776a06c68c2759e639ecc05099b3d3

          SHA1

          afb581b876abdd5e9723b941be50996226201af3

          SHA256

          514d43ac00ef9e08ad6fcd3dc282a321cf84801221eb028990a08e2209169574

          SHA512

          bb43b2b66542bccfb38029514c23b445571d2375e814aaaaaee79891b0dc439e831608bc58192d34f90c2b66b6c36cda503c934baae6aa34d21c415c67436b76

          Download Submit

        • memory/1664-132-0x0000000074A00000-0x0000000074FB1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1664-145-0x0000000074A00000-0x0000000074FB1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2180-134-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

          Download

        • memory/2180-138-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

          Download

        • memory/2180-144-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

          Download