Overview

overview

10

Static

static

acd1d5e649...cf.exe

windows7-x64

10

acd1d5e649...cf.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    71s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    acd1d5e6495240532917fb0a38650fa89dc6ed3d35816b7409817b43f5b9f7cf.exe

  • Size

    134KB

  • MD5

    d0202f4ac2fd583d9eb32fd4ff1aff5c

  • SHA1

    951b731626b6d266cd4e5ebf6fecfa0e356ea805

  • SHA256

    acd1d5e6495240532917fb0a38650fa89dc6ed3d35816b7409817b43f5b9f7cf

  • SHA512

    fe31989e2cbeffb2d74f79e3f940db838fc28d9d93858e64eadf2ba08cf5d358d39166226fbf4b4fa267d573351feeb92fd6895594c1b4b3535315053ae50d4e

  • SSDEEP

    3072:qsRG0fFgblljWFQ8ZrYPVfPLWkTKirRhCRgkHvHTO:lRGC6uNoVfPUirYdHa

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies security service 2 TTPs 22 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Unexpected DNS network traffic destination 11 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 22 IoCs
  • NTFS ADS 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\acd1d5e6495240532917fb0a38650fa89dc6ed3d35816b7409817b43f5b9f7cf.exe
    "C:\Users\Admin\AppData\Local\Temp\acd1d5e6495240532917fb0a38650fa89dc6ed3d35816b7409817b43f5b9f7cf.exe"
    1⤵
    • Modifies security service
    • Sets service image path in registry
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Deletes itself
      PID:840

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Google\Desktop\Install\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\ \...\‮ﯹ๛\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\@
    Filesize

    2KB

    MD5

    051afc8b67b209efda2b84a18e401893

    SHA1

    55e7b365014834de24e651ddc1b914f99b538776

    SHA256

    456d406255133082a9f2eaa8374fe135086de85b4e01d3c89885296e05cc60f6

    SHA512

    b30c9526bfa8e34d2bf021f5c1cdcb91f96216978d6ca9259ad551943c29dda22c8f15e3b2ff5111de89c1b3c6458449a0247fd56c6ace9b94480ec466cc879a

    Download Submit

  • memory/460-59-0x0000000000130000-0x0000000000141000-memory.dmp

    Filesize

    68KB

    Download

  • memory/460-63-0x0000000000130000-0x0000000000141000-memory.dmp

    Filesize

    68KB

    Download

  • memory/840-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1208-58-0x0000000002780000-0x0000000002791000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1964-54-0x0000000076411000-0x0000000076413000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1964-55-0x0000000001000000-0x000000000103E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1964-57-0x0000000001000000-0x000000000103E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1964-61-0x0000000001000000-0x000000000103E000-memory.dmp

    Filesize

    248KB

    Download