Overview

overview

8

Static

static

fa6f80a202...a9.exe

windows7-x64

8

fa6f80a202...a9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe

  • Size

    178KB

  • MD5

    10a1d3076e341bc58eb877812af28831

  • SHA1

    4ac987f8d220168d089d86f3e47810f67fb4c889

  • SHA256

    fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9

  • SHA512

    9f45ef560a8e3091d232032656810f31521ae7913fe5a437d80b3065e791decf5722c70a9283f19bb59acb3ad1508d2cdaf3535fcf85c564b85fb0f364e93579

  • SSDEEP

    3072:ovbnG14mgBkAV7y9rwOWqdIQhY4IC4ilDG0UQ2Vf8RjPrd:AGGkAc9tdIOYC4iFUQ2BAzrd

Score
8/10
persistence

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Unexpected DNS network traffic destination 16 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe
      "C:\Users\Admin\AppData\Local\Temp\fa6f80a2025801716693f71334a2fed9c0821eaf42a9af8734b6e100840412a9.exe"
      2⤵
      • Registers COM server for autorun
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Deletes itself
        PID:2012
  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:460

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \systemroot\Installer\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\@
    Filesize

    2KB

    MD5

    2c623f23d7f6ffdacd50a4c89cd753f5

    SHA1

    ef8588168919ca30a1b92b5c96447958aa7b0e52

    SHA256

    fb26431103acf2082bf94f86a0641e4e12d9c4f50682ccdaaa0ee7414d4ab862

    SHA512

    c257654015208bfcae0481e717f8699a8b1643c018385a9c8024a6cb1cf223f7799d95a51696bd0bacd9c6462e36cea6a708638c729e9dcfa75ead01c4249c8a

    Download Submit

  • memory/460-72-0x00000000001F0000-0x00000000001FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/460-84-0x0000000000200000-0x000000000020C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/460-83-0x00000000000F0000-0x00000000000F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/460-78-0x00000000000F0000-0x00000000000F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/460-79-0x0000000000200000-0x000000000020C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/460-76-0x00000000001F0000-0x00000000001FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1212-66-0x0000000002150000-0x0000000002158000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1212-82-0x0000000002150000-0x0000000002158000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1212-55-0x00000000021A0000-0x00000000021AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1212-59-0x00000000021A0000-0x00000000021AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1212-67-0x0000000002200000-0x000000000220C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1212-63-0x00000000021A0000-0x00000000021AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1884-64-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1884-81-0x000000000054E000-0x0000000000571000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1884-80-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1884-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1884-65-0x000000000054E000-0x0000000000571000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1884-86-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1884-87-0x000000000054E000-0x0000000000571000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2012-85-0x0000000000000000-mapping.dmp

    Download