Overview

overview

10

Static

static

84f85aa0fa...c9.exe

windows7-x64

10

84f85aa0fa...c9.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 13:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    84f85aa0fabab28188ef47f730fac55eabf841ce65f657155ba5efd5274a5ac9.exe

  • Size

    66KB

  • MD5

    bff6f8174edd06b7c02a8a34d3cf3e91

  • SHA1

    b6372ce38eed5cace0a43148e38ad5590a4602f2

  • SHA256

    84f85aa0fabab28188ef47f730fac55eabf841ce65f657155ba5efd5274a5ac9

  • SHA512

    ef66228c16c64e47da4c77002b5ea453da4f4ac1529f93a0c5a17ac308aa0c671e04bd59d11dbe71e5327ba72bc1e09550663dc1efdf661a2bab2788bdee19bf

  • SSDEEP

    1536:R1s9gsCIJb36uzOW9J3qsHdlwcIxulEbgVD+Gt8QcEG:rUpxOuzxCsHn0uaocQP

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\84f85aa0fabab28188ef47f730fac55eabf841ce65f657155ba5efd5274a5ac9.exe
    "C:\Users\Admin\AppData\Local\Temp\84f85aa0fabab28188ef47f730fac55eabf841ce65f657155ba5efd5274a5ac9.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: MapViewOfSection
    PID:1708
  • C:\Windows\syswow64\svchost.exe
    "C:\Windows\syswow64\svchost.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Windows\SysWOW64\ctfmon.exe
      ctfmon.exe
      2⤵
        PID:1988

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1224-58-0x0000000077360000-0x0000000077509000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/1224-59-0x0000000002210000-0x0000000002219000-memory.dmp
      Filesize

      36KB

      Download
    • memory/1224-61-0x0000000077360000-0x0000000077509000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/1708-54-0x0000000000400000-0x0000000000413000-memory.dmp
      Filesize

      76KB

      Download
    • memory/1708-55-0x0000000075451000-0x0000000075453000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1708-56-0x0000000000390000-0x00000000003C0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1708-57-0x0000000000390000-0x00000000003C0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1988-62-0x0000000000000000-mapping.dmp
      Download