Overview

overview

8

Static

static

3235b022e4...50.exe

windows7-x64

8

3235b022e4...50.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    196s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3235b022e48ef635c8ee7d6c753f9adca385a9afaa56bde5957c96e15e422450.exe

  • Size

    392KB

  • MD5

    e05eb29d1eecf974d032c886689e03b3

  • SHA1

    ae914d60f8671374025a764328c3f2069c068257

  • SHA256

    3235b022e48ef635c8ee7d6c753f9adca385a9afaa56bde5957c96e15e422450

  • SHA512

    7f5b603e3041629b6a4a4c9c2b3728715c8344c9312003ec2650cab3e94ad9f0c7a0956aad044776e30102f0a48303df85d459aa2b66695ee3b0b1412fe43d45

  • SSDEEP

    6144:AnGX7Qbd1P6YpQ3LbrSZ/1vL99Vay06N9JUo923TNclWk05S24+:AkcGkQ3EVayl9aobT23

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 8 IoCs
  • Modifies registry class 17 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3235b022e48ef635c8ee7d6c753f9adca385a9afaa56bde5957c96e15e422450.exe
    "C:\Users\Admin\AppData\Local\Temp\3235b022e48ef635c8ee7d6c753f9adca385a9afaa56bde5957c96e15e422450.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4556
    • C:\Users\Admin\AppData\Local\water.exe
      C:\Users\Admin\AppData\Local\Temp\3235b022e48ef635c8ee7d6c753f9adca385a9afaa56bde5957c96e15e422450.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3028
  • C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    1⤵
      PID:4580
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
      1⤵
        PID:4596
      • C:\Windows\system32\BackgroundTransferHost.exe
        "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
        1⤵
          PID:2636
        • C:\Windows\system32\backgroundTaskHost.exe
          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
          1⤵
            PID:532
          • C:\Windows\system32\wbem\wmiprvse.exe
            C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            1⤵
              PID:1416
            • C:\Windows\system32\backgroundTaskHost.exe
              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
              1⤵
                PID:448
              • C:\Windows\system32\BackgroundTransferHost.exe
                "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                1⤵
                  PID:4420
                • C:\Windows\system32\BackgroundTransferHost.exe
                  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                  1⤵
                    PID:2956
                  • C:\Windows\system32\backgroundTaskHost.exe
                    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                    1⤵
                      PID:4816
                    • C:\Windows\System32\RuntimeBroker.exe
                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                      1⤵
                        PID:4856

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Persistence

                      Registry Run Keys / Startup Folder

                      1
                      T1060

                      Privilege Escalation

                      Defense Evasion

                      Modify Registry

                      1
                      T1112

                      Credential Access

                      Discovery

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\water.exe
                        Filesize

                        392KB

                        MD5

                        e05eb29d1eecf974d032c886689e03b3

                        SHA1

                        ae914d60f8671374025a764328c3f2069c068257

                        SHA256

                        3235b022e48ef635c8ee7d6c753f9adca385a9afaa56bde5957c96e15e422450

                        SHA512

                        7f5b603e3041629b6a4a4c9c2b3728715c8344c9312003ec2650cab3e94ad9f0c7a0956aad044776e30102f0a48303df85d459aa2b66695ee3b0b1412fe43d45

                        Download Submit
                      • C:\Users\Admin\AppData\Local\water.exe
                        Filesize

                        392KB

                        MD5

                        e05eb29d1eecf974d032c886689e03b3

                        SHA1

                        ae914d60f8671374025a764328c3f2069c068257

                        SHA256

                        3235b022e48ef635c8ee7d6c753f9adca385a9afaa56bde5957c96e15e422450

                        SHA512

                        7f5b603e3041629b6a4a4c9c2b3728715c8344c9312003ec2650cab3e94ad9f0c7a0956aad044776e30102f0a48303df85d459aa2b66695ee3b0b1412fe43d45

                        Download Submit
                      • memory/448-155-0x0000000000000000-mapping.dmp
                        Download
                      • memory/532-153-0x0000000000000000-mapping.dmp
                        Download
                      • memory/784-147-0x00000197D9440000-0x00000197D9473000-memory.dmp
                        Filesize

                        204KB

                        Download
                      • memory/784-150-0x00000197D9440000-0x00000197D9473000-memory.dmp
                        Filesize

                        204KB

                        Download
                      • memory/784-149-0x00000197D9400000-0x00000197D9433000-memory.dmp
                        Filesize

                        204KB

                        Download
                      • memory/784-142-0x00000197D8D80000-0x00000197D8DAE000-memory.dmp
                        Filesize

                        184KB

                        Download
                      • memory/784-143-0x00000197D8DB0000-0x00000197D8DE3000-memory.dmp
                        Filesize

                        204KB

                        Download
                      • memory/784-146-0x00000197D8D80000-0x00000197D8DAE000-memory.dmp
                        Filesize

                        184KB

                        Download
                      • memory/784-145-0x00000197D9400000-0x00000197D9433000-memory.dmp
                        Filesize

                        204KB

                        Download
                      • memory/1416-154-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2636-152-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2956-157-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3028-134-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3028-140-0x0000000000400000-0x0000000000463000-memory.dmp
                        Filesize

                        396KB

                        Download
                      • memory/3028-148-0x0000000000400000-0x000000000044E000-memory.dmp
                        Filesize

                        312KB

                        Download
                      • memory/3028-144-0x0000000000400000-0x0000000000463000-memory.dmp
                        Filesize

                        396KB

                        Download
                      • memory/4420-156-0x0000000000000000-mapping.dmp
                        Download
                      • memory/4556-137-0x0000000000400000-0x000000000044E000-memory.dmp
                        Filesize

                        312KB

                        Download
                      • memory/4556-132-0x0000000000400000-0x000000000044E000-memory.dmp
                        Filesize

                        312KB

                        Download
                      • memory/4580-141-0x0000000000000000-mapping.dmp
                        Download
                      • memory/4596-151-0x0000000000000000-mapping.dmp
                        Download
                      • memory/4816-158-0x0000000000000000-mapping.dmp
                        Download
                      • memory/4856-159-0x0000000000000000-mapping.dmp
                        Download