Overview

overview

8

Static

static

4dba6cbd83...6d.exe

windows7-x64

8

4dba6cbd83...6d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    106s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 09:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4dba6cbd83d9b07f305943ae904a3f6271ae9734ad962c67c2a02d75110c976d.exe

  • Size

    36KB

  • MD5

    e284f66f6759911c7c032bd131332a24

  • SHA1

    79edba44f0a1a55def326a6c6ba885f2478a4780

  • SHA256

    4dba6cbd83d9b07f305943ae904a3f6271ae9734ad962c67c2a02d75110c976d

  • SHA512

    a5722e1d07cd61ccded507b97d69d00cd250b42b9a6c75327a7db69e1aceb1b29a58b6fbc0ca2e56aaba200470ae38c70bd18c3fe7b515a9cff6dbfe075178c8

  • SSDEEP

    768:n+ssHLUCpqCXhcTW/Y20TlXjU12W3sGctza:n+sRKFc/xTBi1cc

Score
8/10
persistence

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 7 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4dba6cbd83d9b07f305943ae904a3f6271ae9734ad962c67c2a02d75110c976d.exe
    "C:\Users\Admin\AppData\Local\Temp\4dba6cbd83d9b07f305943ae904a3f6271ae9734ad962c67c2a02d75110c976d.exe"
    1⤵
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Windows\SysWOW64\RunDll32.exe
      RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3852
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:00000000
        3⤵
        • Modifies registry class
        PID:1132
    • C:\Windows\SysWOW64\RunDll32.exe
      RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
      2⤵
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:2 WinX:0 WinY:0 IEFrame:00000000
        3⤵
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1120-139-0x0000000000000000-mapping.dmp
    Download
  • memory/1132-138-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-137-0x0000000000000000-mapping.dmp
    Download
  • memory/2224-134-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/2224-135-0x0000000000030000-0x0000000000033000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2224-140-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/3852-136-0x0000000000000000-mapping.dmp
    Download