Overview

overview

10

Static

static

e454330df4...e3.exe

windows7-x64

10

e454330df4...e3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    187s
  • max time network
    29s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e454330df4a4f1765173b4249f8128c5ebd8b61a8f6e2bc86f00894b51f114e3.exe

  • Size

    76KB

  • MD5

    8361b14c9b5bbafcbed5e5327f06b514

  • SHA1

    6445921742db078e4369aa951b097928b4b7246d

  • SHA256

    e454330df4a4f1765173b4249f8128c5ebd8b61a8f6e2bc86f00894b51f114e3

  • SHA512

    b5b5ccc59f7931e8613225f06ce6a6079f9ea973ae1b1f2ce914f043ed88d3851d14cebbe16233c401f0f934fcb41899fff721f599dfb353840c82d6fd97fe8b

  • SSDEEP

    768:uembNRqsuhlGO6rhgFwumSCbxTGy/BBGg4NKJJKqUThbJ32+ve7i40vN0TlT+Xk+:cnqcu3abBGy3G8V0iuo2j

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 35 IoCs
  • Modifies registry class 36 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e454330df4a4f1765173b4249f8128c5ebd8b61a8f6e2bc86f00894b51f114e3.exe
    "C:\Users\Admin\AppData\Local\Temp\e454330df4a4f1765173b4249f8128c5ebd8b61a8f6e2bc86f00894b51f114e3.exe"
    1⤵
    • Modifies system executable filetype association
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2008
    • \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcn.exe
      "c:\Documents and Settings\Admin\Application Data\Microsoft\vcn.exe" e454330df4a4f1765173b4249f8128c5ebd8b61a8f6e2bc86f00894b51f114e3
      2⤵
      • Modifies system executable filetype association
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\vcn.exe
    Filesize

    76KB

    MD5

    4b83e02b81df90fea584e31ea827a8c0

    SHA1

    79c3e7027fe5d08554afadb260069604691dc5df

    SHA256

    0fd729853d4615c14b1b1c7e82ce82c8a3db3ab73ce4185fd0b60a278419cf92

    SHA512

    ed37b00e7dfebdbd027917db94b5430cd88ceab3893c3433b98c9c7ecf6c277119daeaeef3562a8358761ddbfdb691d3738c19f6555279472cddf49edd5b6f95

    Download Submit
  • \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcn.exe
    Filesize

    76KB

    MD5

    4b83e02b81df90fea584e31ea827a8c0

    SHA1

    79c3e7027fe5d08554afadb260069604691dc5df

    SHA256

    0fd729853d4615c14b1b1c7e82ce82c8a3db3ab73ce4185fd0b60a278419cf92

    SHA512

    ed37b00e7dfebdbd027917db94b5430cd88ceab3893c3433b98c9c7ecf6c277119daeaeef3562a8358761ddbfdb691d3738c19f6555279472cddf49edd5b6f95

    Download Submit
  • \??\c:\windows\SysWOW64\Windows 3D.scr
    Filesize

    76KB

    MD5

    e5722663c83043a5d429308c38cd834e

    SHA1

    1ddaf22c61838dc183d403587f19f8b9b62431a2

    SHA256

    d1dda083cbf5682bf2a89602f20c5509bfdb1a7a32d3e6893c99f0086a56e597

    SHA512

    c934011c841def9fe7d7e695d542fa0b256069df035260271bdfc39912e99d53ec36f1e1feb4dbba74ce95ae1177b4273c7a197144598a7d9495eb7d11ff0c0b

    Download Submit
  • \??\c:\windows\SysWOW64\maxtrox.txt
    Filesize

    8B

    MD5

    24865ca220aa1936cbac0a57685217c5

    SHA1

    37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

    SHA256

    841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

    SHA512

    c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\vcn.exe
    Filesize

    76KB

    MD5

    4b83e02b81df90fea584e31ea827a8c0

    SHA1

    79c3e7027fe5d08554afadb260069604691dc5df

    SHA256

    0fd729853d4615c14b1b1c7e82ce82c8a3db3ab73ce4185fd0b60a278419cf92

    SHA512

    ed37b00e7dfebdbd027917db94b5430cd88ceab3893c3433b98c9c7ecf6c277119daeaeef3562a8358761ddbfdb691d3738c19f6555279472cddf49edd5b6f95

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\vcn.exe
    Filesize

    76KB

    MD5

    4b83e02b81df90fea584e31ea827a8c0

    SHA1

    79c3e7027fe5d08554afadb260069604691dc5df

    SHA256

    0fd729853d4615c14b1b1c7e82ce82c8a3db3ab73ce4185fd0b60a278419cf92

    SHA512

    ed37b00e7dfebdbd027917db94b5430cd88ceab3893c3433b98c9c7ecf6c277119daeaeef3562a8358761ddbfdb691d3738c19f6555279472cddf49edd5b6f95

    Download Submit
  • memory/1644-58-0x0000000000000000-mapping.dmp
    Download