Overview

overview

10

Static

static

ad955fdc74...c4.exe

windows7-x64

10

ad955fdc74...c4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    195s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad955fdc7425dc1f94f780accb5f795ca61170640235a42e460479a7106cf7c4.exe

  • Size

    248KB

  • MD5

    453e81cf8fd30e22f5d73ba21f73e21c

  • SHA1

    677d1dad9d914aeefa23d4f0e95d1cb611faa8b2

  • SHA256

    ad955fdc7425dc1f94f780accb5f795ca61170640235a42e460479a7106cf7c4

  • SHA512

    6526e87ae9315280eb2945e2fd97c771f047d76781508911221cf4cec767ff2d5009a2a878e4c8b8c4d8be72e7168f4cf2ade96ca6ee1f5c57ddc7c576db43dd

  • SSDEEP

    6144:w6SEglcg8sX+yFtrqRvV+bslcyn97fG6F4+ECgVuc:JSrlzEyFlqRtUyn9blCYgV

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad955fdc7425dc1f94f780accb5f795ca61170640235a42e460479a7106cf7c4.exe
    "C:\Users\Admin\AppData\Local\Temp\ad955fdc7425dc1f94f780accb5f795ca61170640235a42e460479a7106cf7c4.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds policy Run key to start application
    • Adds Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3796
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Nero" dir=in action=allow description="Multimedia suite" program="C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:3432
    • C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\ad955fdc7425dc1f94f780accb5f795ca61170640235a42e460479a7106cf7c4.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:212

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe
    Filesize

    248KB

    MD5

    453e81cf8fd30e22f5d73ba21f73e21c

    SHA1

    677d1dad9d914aeefa23d4f0e95d1cb611faa8b2

    SHA256

    ad955fdc7425dc1f94f780accb5f795ca61170640235a42e460479a7106cf7c4

    SHA512

    6526e87ae9315280eb2945e2fd97c771f047d76781508911221cf4cec767ff2d5009a2a878e4c8b8c4d8be72e7168f4cf2ade96ca6ee1f5c57ddc7c576db43dd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe
    Filesize

    248KB

    MD5

    453e81cf8fd30e22f5d73ba21f73e21c

    SHA1

    677d1dad9d914aeefa23d4f0e95d1cb611faa8b2

    SHA256

    ad955fdc7425dc1f94f780accb5f795ca61170640235a42e460479a7106cf7c4

    SHA512

    6526e87ae9315280eb2945e2fd97c771f047d76781508911221cf4cec767ff2d5009a2a878e4c8b8c4d8be72e7168f4cf2ade96ca6ee1f5c57ddc7c576db43dd

    Download Submit

  • memory/212-135-0x0000000000000000-mapping.dmp

    Download

  • memory/3432-134-0x0000000000000000-mapping.dmp

    Download