Overview

overview

10

Static

static

4f5a629538...4c.exe

windows7-x64

10

4f5a629538...4c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 15:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f5a62953887e0edb04c6af2da90e577cb6012242fc90e9ba71be5ef90869a4c.exe

  • Size

    623KB

  • MD5

    b652e55983aa5f2ef967dacf564fa24b

  • SHA1

    0dfb93b79747976703b69dba6657c0c044e9f78a

  • SHA256

    4f5a62953887e0edb04c6af2da90e577cb6012242fc90e9ba71be5ef90869a4c

  • SHA512

    2cffa1b91c2b47272446645f2b73eff00f5017e4c43c601b1af69dd6856766e3ff6392d2017b8032b61666bb9b670bc9251208ab10d2d37d05c9cbbf62be5403

  • SSDEEP

    12288:UsAL/W5L/SZdSCvTF+bDTqXTGanh/y+50vOoU3B1GXG/b3RZdYuCc:UsW/WNSZ8CLGETGaFZMOJ3BsXU3RZdYa

Score
10/10
persistence

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f5a62953887e0edb04c6af2da90e577cb6012242fc90e9ba71be5ef90869a4c.exe
    "C:\Users\Admin\AppData\Local\Temp\4f5a62953887e0edb04c6af2da90e577cb6012242fc90e9ba71be5ef90869a4c.exe"
    1⤵
    • Modifies system executable filetype association
    • Modifies Installed Components in the registry
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Modifies system executable filetype association
      • Executes dropped EXE
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Modifies registry class
      PID:2040

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\svchost.exe
    Filesize

    626KB

    MD5

    39e8e17385db14a9072e444219b9eee9

    SHA1

    d9da0d0c069cd1f979d79174aef0c05b0fe0b6c7

    SHA256

    8b687132aafa947881a602fc54e6a727168bb2842b0973fcf10947cde2bb4a5b

    SHA512

    fb72d367705ad1c78b4a78126a598b5ecbee7f71975c4c9c50b5933d81c40bb0512796d9c1222854cc242cd2a9a19db386d3e9aa1c4ebf43a84085f4d9ed06b4

    Download Submit

  • memory/2028-54-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2028-57-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2040-55-0x0000000000000000-mapping.dmp

    Download

  • memory/2040-58-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2040-59-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download