Overview

overview

8

Static

static

d547974a82...ce.exe

windows7-x64

8

d547974a82...ce.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    153s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 10:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exe

  • Size

    52KB

  • MD5

    8b71cd888da67ae3eeae97480a29d2e9

  • SHA1

    93a5c1e83b8a02ebc1f2f146e1e7716a78be310e

  • SHA256

    d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce

  • SHA512

    ea4cdb9ece8e1f3244b24ae63dac3fdcf93583e86d4e6c15d0634f0ac772e4f018f2587cd8782d11b9d6fa91fb03f2cafeb6ae5e012b8c52bd93734dd098162e

  • SSDEEP

    768:aHyEBK+o6yMPqgRDMa6RwTdQXQ/6m/4Jk8gqCfFC:aHL1Rt20BCJkkUF

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exe
    "C:\Users\Admin\AppData\Local\Temp\d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Windows\svchobst.exe
      "C:\Windows\svchobst.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" £¾½¸ýéê ­±ï¡Þ×Ô’Ï̖ҏ˜ÝÀÞÞ±°¯®­¬«ª©¨§¦¥¤£¢¡ Ÿžœ›š™˜—–•”“’‘ŽŒ‹Š‰ˆ‡†…„ƒ‚€~}|{zyxwvutsrqponmlkjihgfedcba`_^
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3988
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3988 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:980
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D54797~1.EXE > nul
      2⤵
        PID:440

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      e32d02ce684c01ef3af05fae9066160e

      SHA1

      29c7a6e8ed553ac2765634265d1db041d6d422ec

      SHA256

      b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

      SHA512

      e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      434B

      MD5

      f03c405b4000f830a6b31c529b02b29d

      SHA1

      887dd52e4b07d0ea6958324a17b1f41148a0443e

      SHA256

      d5ae1678609f155dbda4918d513f82439a84a658a3ed1a49832b660d008b27af

      SHA512

      86a2412249e1c138ff6e6046a4d942fccced0cb84b83cb71e97d839c78328ab6058a5958fc499e86782b306e4a49d7a5031cebfc96bb859eeefdab94f687474a

      Download Submit
    • C:\Windows\svchobst.exe
      Filesize

      52KB

      MD5

      8b71cd888da67ae3eeae97480a29d2e9

      SHA1

      93a5c1e83b8a02ebc1f2f146e1e7716a78be310e

      SHA256

      d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce

      SHA512

      ea4cdb9ece8e1f3244b24ae63dac3fdcf93583e86d4e6c15d0634f0ac772e4f018f2587cd8782d11b9d6fa91fb03f2cafeb6ae5e012b8c52bd93734dd098162e

      Download Submit
    • C:\Windows\svchobst.exe
      Filesize

      52KB

      MD5

      8b71cd888da67ae3eeae97480a29d2e9

      SHA1

      93a5c1e83b8a02ebc1f2f146e1e7716a78be310e

      SHA256

      d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce

      SHA512

      ea4cdb9ece8e1f3244b24ae63dac3fdcf93583e86d4e6c15d0634f0ac772e4f018f2587cd8782d11b9d6fa91fb03f2cafeb6ae5e012b8c52bd93734dd098162e

      Download Submit
    • memory/440-134-0x0000000000000000-mapping.dmp
      Download
    • memory/4764-132-0x0000000000000000-mapping.dmp
      Download