Overview

overview

10

Static

static

5363962b9e...08.exe

windows7-x64

10

5363962b9e...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    181s
  • max time network
    197s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 18:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5363962b9ef23677c82ce5294f42c622a941d238180ffcde9fb6f1cee9571f08.exe

  • Size

    898KB

  • MD5

    5c41de5cea0bc148b8177cb41803d7c9

  • SHA1

    47fbd7205613bd5f451439ccec5b514dbc4c7c0f

  • SHA256

    5363962b9ef23677c82ce5294f42c622a941d238180ffcde9fb6f1cee9571f08

  • SHA512

    b0d812109610e8754b3a52b370c37ea188099e2d5ae1ce2fdf5fca4b3a8ef62edb2af87634726bda971efc81704978faa6f52d181167f4f7f8707b334d8450cd

  • SSDEEP

    6144:E3i8X7pt4Oti0BWmKWIBtOcI9SSbA+cuXhDM6a1F9nBG:E3TdtLW5WIj1YSSdFxs1z4

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5363962b9ef23677c82ce5294f42c622a941d238180ffcde9fb6f1cee9571f08.exe
    "C:\Users\Admin\AppData\Local\Temp\5363962b9ef23677c82ce5294f42c622a941d238180ffcde9fb6f1cee9571f08.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Disables RegEdit via registry modification
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\Windows\SysWOW64\at.exe
        AT /delete /yes
        3⤵
          PID:3604
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\svchost .exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3608
        • C:\Windows\SysWOW64\at.exe
          AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\svchost .exe
          3⤵
            PID:4992

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2436-133-0x0000000000000000-mapping.dmp
        Download
      • memory/3424-132-0x0000000000400000-0x0000000000506000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/3424-137-0x0000000000400000-0x0000000000506000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/3604-134-0x0000000000000000-mapping.dmp
        Download
      • memory/3608-135-0x0000000000000000-mapping.dmp
        Download
      • memory/4992-136-0x0000000000000000-mapping.dmp
        Download