Overview

overview

10

Static

static

81e61437b3...9b.exe

windows7-x64

10

81e61437b3...9b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    81e61437b38804c696ed37e590876bd626220f8f1756e6f29a1648d166ff399b.exe

  • Size

    548KB

  • MD5

    2bc0356986bda4a28e16a5b8b137cc57

  • SHA1

    1de52df17c2dd05362e0eccf22ebff49c3b81f58

  • SHA256

    81e61437b38804c696ed37e590876bd626220f8f1756e6f29a1648d166ff399b

  • SHA512

    235e794cdc7617c0bfb9b17944d1eb27212609067f92851588aa034c8d5f73b13fe0abc9c6952f6b39ef0fe467aa6a48918a432b52fbc42853212d9b7f4092b4

  • SSDEEP

    12288:PVJpPb5vKVJDD3E6EIuH7ElI0w52ZJ4UJPJJxobhU1+V:PtNKLEIuHyz114

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81e61437b38804c696ed37e590876bd626220f8f1756e6f29a1648d166ff399b.exe
    "C:\Users\Admin\AppData\Local\Temp\81e61437b38804c696ed37e590876bd626220f8f1756e6f29a1648d166ff399b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Users\Admin\AppData\Local\Temp\81e61437b38804c696ed37e590876bd626220f8f1756e6f29a1648d166ff399b.exe
      "C:\Users\Admin\AppData\Local\Temp\81e61437b38804c696ed37e590876bd626220f8f1756e6f29a1648d166ff399b.exe"
      2⤵
      • Modifies firewall policy service
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:100
      • C:\Users\Admin\M-52849205209409204980245\winmgr.exe
        C:\Users\Admin\M-52849205209409204980245\winmgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:220
        • C:\Users\Admin\M-52849205209409204980245\winmgr.exe
          C:\Users\Admin\M-52849205209409204980245\winmgr.exe
          4⤵
          • Executes dropped EXE
          PID:4028

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\M-52849205209409204980245\winmgr.exe
    Filesize

    548KB

    MD5

    2bc0356986bda4a28e16a5b8b137cc57

    SHA1

    1de52df17c2dd05362e0eccf22ebff49c3b81f58

    SHA256

    81e61437b38804c696ed37e590876bd626220f8f1756e6f29a1648d166ff399b

    SHA512

    235e794cdc7617c0bfb9b17944d1eb27212609067f92851588aa034c8d5f73b13fe0abc9c6952f6b39ef0fe467aa6a48918a432b52fbc42853212d9b7f4092b4

    Download Submit

  • C:\Users\Admin\M-52849205209409204980245\winmgr.exe
    Filesize

    548KB

    MD5

    2bc0356986bda4a28e16a5b8b137cc57

    SHA1

    1de52df17c2dd05362e0eccf22ebff49c3b81f58

    SHA256

    81e61437b38804c696ed37e590876bd626220f8f1756e6f29a1648d166ff399b

    SHA512

    235e794cdc7617c0bfb9b17944d1eb27212609067f92851588aa034c8d5f73b13fe0abc9c6952f6b39ef0fe467aa6a48918a432b52fbc42853212d9b7f4092b4

    Download Submit

  • C:\Users\Admin\M-52849205209409204980245\winmgr.exe
    Filesize

    548KB

    MD5

    2bc0356986bda4a28e16a5b8b137cc57

    SHA1

    1de52df17c2dd05362e0eccf22ebff49c3b81f58

    SHA256

    81e61437b38804c696ed37e590876bd626220f8f1756e6f29a1648d166ff399b

    SHA512

    235e794cdc7617c0bfb9b17944d1eb27212609067f92851588aa034c8d5f73b13fe0abc9c6952f6b39ef0fe467aa6a48918a432b52fbc42853212d9b7f4092b4

    Download Submit

  • memory/100-132-0x0000000000000000-mapping.dmp

    Download

  • memory/100-133-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/220-134-0x0000000000000000-mapping.dmp

    Download

  • memory/4028-137-0x0000000000000000-mapping.dmp

    Download