Overview

overview

7

Static

static

913b14cf91...eb.exe

windows7-x64

7

913b14cf91...eb.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe

  • Size

    369KB

  • MD5

    b34f2b9affb33bfd5b0e614c98bc864f

  • SHA1

    110b70ff3fe487de75344e1635752b5b850f7286

  • SHA256

    913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb

  • SHA512

    64a4c5f40ee84041a576f288d834a76a9b94ebf0b5081cd07576493d6cbb1cf82ea2411e5997e9f161d2890b4b25a9373061765a0d1af7a353d9511165801b6c

  • SSDEEP

    6144:PNlwo1G9mdL7G8Oi0Fb2GuIKlbaTSPfYq5c+ClSTAVVD3s3G:PNBumZh09g/gqbiK

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    1⤵
      PID:1704
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Adds Run key to start application
      • Modifies Internet Explorer Protected Mode
      • Modifies Internet Explorer Protected Mode Banner
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1412
      • C:\Users\Admin\AppData\Local\Temp\913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe
        "C:\Users\Admin\AppData\Local\Temp\913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe"
        2⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1508
    • C:\Windows\System32\spoolsv.exe
      C:\Windows\System32\spoolsv.exe
      1⤵
        PID:992

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\XafuHajt\XafuHajt.dat
        Filesize

        252KB

        MD5

        3a678acae920d7d7c28128eab541a80b

        SHA1

        857f960a3ee0db307b248f264e4bb02c4b4861e0

        SHA256

        80f5f0489f8080e5dfd955e6235210bba61c7ca8cb0a1457c328ed11cd5a9431

        SHA512

        d35ca5295435e230b0e3f2c364e9396e806aadb10e3032d1a35f5dde31689c60d0c2aad3d3eb4acae4b932c1ae734c8cdea735fe3a2b90378f11ae6cbba4809c

        Download Submit
      • \ProgramData\XafuHajt\XafuHajt.dat
        Filesize

        252KB

        MD5

        3a678acae920d7d7c28128eab541a80b

        SHA1

        857f960a3ee0db307b248f264e4bb02c4b4861e0

        SHA256

        80f5f0489f8080e5dfd955e6235210bba61c7ca8cb0a1457c328ed11cd5a9431

        SHA512

        d35ca5295435e230b0e3f2c364e9396e806aadb10e3032d1a35f5dde31689c60d0c2aad3d3eb4acae4b932c1ae734c8cdea735fe3a2b90378f11ae6cbba4809c

        Download Submit
      • memory/992-61-0x0000000001C40000-0x0000000001C94000-memory.dmp
        Filesize

        336KB

        Download
      • memory/1412-66-0x0000000002650000-0x00000000026A4000-memory.dmp
        Filesize

        336KB

        Download
      • memory/1412-71-0x0000000003D00000-0x0000000003D6B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/1412-75-0x0000000003D00000-0x0000000003D6B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/1508-56-0x0000000000400000-0x000000000043E000-memory.dmp
        Filesize

        248KB

        Download
      • memory/1508-54-0x0000000000400000-0x000000000045E000-memory.dmp
        Filesize

        376KB

        Download
      • memory/1508-59-0x0000000074A30000-0x0000000074A63000-memory.dmp
        Filesize

        204KB

        Download
      • memory/1508-65-0x0000000074A30000-0x0000000074A98000-memory.dmp
        Filesize

        416KB

        Download
      • memory/1508-55-0x0000000075451000-0x0000000075453000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1508-73-0x0000000000400000-0x000000000043E000-memory.dmp
        Filesize

        248KB

        Download
      • memory/1508-74-0x0000000074A30000-0x0000000074A63000-memory.dmp
        Filesize

        204KB

        Download