Overview

overview

10

Static

static

a99e0e2de3...22.exe

windows7-x64

10

a99e0e2de3...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe

  • Size

    76KB

  • MD5

    0cfa9fbedc5413ec26ecfdb96553a4e1

  • SHA1

    9a4755d3ce3bd6df8f6acea6ebf6239463d6b5fc

  • SHA256

    a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22

  • SHA512

    daf09881aed9057e15a9a875993d974cd2910b8979ea9d2bdfa2a125bb50073633b451c25f24031d50b9024debbddac35a2396d6ec3e782836fa12ed419e594d

  • SSDEEP

    768:7embNRqsuhlGOBrhgFwumSCbxTGy/BBGg4NKJJKqUThbJ32+ve7i40vN0TlT+Xkq:tnqdu3abBGy3G8V0iuo2X

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 34 IoCs
  • Modifies registry class 36 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
    "C:\Users\Admin\AppData\Local\Temp\a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe"
    1⤵
    • Modifies system executable filetype association
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1848
    • \??\c:\Documents and Settings\Admin\Application Data\Microsoft\hama.exe
      "c:\Documents and Settings\Admin\Application Data\Microsoft\hama.exe" a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22
      2⤵
      • Modifies system executable filetype association
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1752

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\hama.exe
    Filesize

    76KB

    MD5

    422be0af571d182f1a7cdddc68b6bcc4

    SHA1

    0969848ff047cbddb282fcc762f77b04a5264feb

    SHA256

    e56de5c2a4a0ed1e44c48b4db631e01f341773c4276ce6fecb055f9492cb3878

    SHA512

    aa1b44a0b5c4a73f8da66bbec736c0ac1a83e3d35b90c82e3f310e811bf7384b5f382f730246f3d509f7ec4d885535a681d28dcd2a65e6726b2a2264fcaafb60

    Download Submit

  • \??\c:\Documents and Settings\Admin\Application Data\Microsoft\hama.exe
    Filesize

    76KB

    MD5

    422be0af571d182f1a7cdddc68b6bcc4

    SHA1

    0969848ff047cbddb282fcc762f77b04a5264feb

    SHA256

    e56de5c2a4a0ed1e44c48b4db631e01f341773c4276ce6fecb055f9492cb3878

    SHA512

    aa1b44a0b5c4a73f8da66bbec736c0ac1a83e3d35b90c82e3f310e811bf7384b5f382f730246f3d509f7ec4d885535a681d28dcd2a65e6726b2a2264fcaafb60

    Download Submit

  • \??\c:\windows\SysWOW64\Windows 3D.scr
    Filesize

    76KB

    MD5

    2e299c3119a22ef26e4d51577c6ace05

    SHA1

    cb522d2455e023eed7382fb9c92cdf1101b3605a

    SHA256

    b61e2c3f71f6d4917b0e4ad41b2f568a7b77aa501b99091de42e9b72e281a65a

    SHA512

    ecaa5eb8279cd2082eb0b7694df75a82263355c431c029ce8a1ad64c83b318adf09bb8ea30f300f7e8bb819ca46eb10984af1493272126c2f63b228732226ebe

    Download Submit

  • \??\c:\windows\SysWOW64\maxtrox.txt
    Filesize

    8B

    MD5

    24865ca220aa1936cbac0a57685217c5

    SHA1

    37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

    SHA256

    841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

    SHA512

    c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\hama.exe
    Filesize

    76KB

    MD5

    422be0af571d182f1a7cdddc68b6bcc4

    SHA1

    0969848ff047cbddb282fcc762f77b04a5264feb

    SHA256

    e56de5c2a4a0ed1e44c48b4db631e01f341773c4276ce6fecb055f9492cb3878

    SHA512

    aa1b44a0b5c4a73f8da66bbec736c0ac1a83e3d35b90c82e3f310e811bf7384b5f382f730246f3d509f7ec4d885535a681d28dcd2a65e6726b2a2264fcaafb60

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\hama.exe
    Filesize

    76KB

    MD5

    422be0af571d182f1a7cdddc68b6bcc4

    SHA1

    0969848ff047cbddb282fcc762f77b04a5264feb

    SHA256

    e56de5c2a4a0ed1e44c48b4db631e01f341773c4276ce6fecb055f9492cb3878

    SHA512

    aa1b44a0b5c4a73f8da66bbec736c0ac1a83e3d35b90c82e3f310e811bf7384b5f382f730246f3d509f7ec4d885535a681d28dcd2a65e6726b2a2264fcaafb60

    Download Submit

  • memory/1752-58-0x0000000000000000-mapping.dmp

    Download