Overview

overview

10

Static

static

9d085fe596...43.exe

windows7-x64

10

9d085fe596...43.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    207s
  • max time network
    222s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 21:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d085fe596c5223d3250f38f9bbb0585f8555f281cc07f2ce883aeb806d6cf43.exe

  • Size

    262KB

  • MD5

    dd3d297db386103f447b5eed0e62b408

  • SHA1

    5685ac2294da0581d3e33037b151709d61a98f4b

  • SHA256

    9d085fe596c5223d3250f38f9bbb0585f8555f281cc07f2ce883aeb806d6cf43

  • SHA512

    3feb95985416ca6918e1d7d30bfe848e2019847cbf1ad3db4b194c229747a076945b81c605e368dac10451e0176603320f7d8d835d47fbbc3bc37e4118e4ceaf

  • SSDEEP

    6144:A/bILVvWfZc2yUyfi8j4VtyjXP56OS+I1:A0xWfZc2PJZtyjDPa

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d085fe596c5223d3250f38f9bbb0585f8555f281cc07f2ce883aeb806d6cf43.exe
    "C:\Users\Admin\AppData\Local\Temp\9d085fe596c5223d3250f38f9bbb0585f8555f281cc07f2ce883aeb806d6cf43.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Users\Admin\AppData\Local\Temp\9d085fe596c5223d3250f38f9bbb0585f8555f281cc07f2ce883aeb806d6cf43.exe
      "C:\Users\Admin\AppData\Local\Temp\9d085fe596c5223d3250f38f9bbb0585f8555f281cc07f2ce883aeb806d6cf43.exe"
      2⤵
      • Modifies firewall policy service
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4732
      • C:\Users\Admin\M-5078860807246347675945\winmgr.exe
        C:\Users\Admin\M-5078860807246347675945\winmgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3512
        • C:\Users\Admin\M-5078860807246347675945\winmgr.exe
          C:\Users\Admin\M-5078860807246347675945\winmgr.exe
          4⤵
          • Executes dropped EXE
          PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\M-5078860807246347675945\winmgr.exe
    Filesize

    262KB

    MD5

    dd3d297db386103f447b5eed0e62b408

    SHA1

    5685ac2294da0581d3e33037b151709d61a98f4b

    SHA256

    9d085fe596c5223d3250f38f9bbb0585f8555f281cc07f2ce883aeb806d6cf43

    SHA512

    3feb95985416ca6918e1d7d30bfe848e2019847cbf1ad3db4b194c229747a076945b81c605e368dac10451e0176603320f7d8d835d47fbbc3bc37e4118e4ceaf

    Download Submit
  • C:\Users\Admin\M-5078860807246347675945\winmgr.exe
    Filesize

    262KB

    MD5

    dd3d297db386103f447b5eed0e62b408

    SHA1

    5685ac2294da0581d3e33037b151709d61a98f4b

    SHA256

    9d085fe596c5223d3250f38f9bbb0585f8555f281cc07f2ce883aeb806d6cf43

    SHA512

    3feb95985416ca6918e1d7d30bfe848e2019847cbf1ad3db4b194c229747a076945b81c605e368dac10451e0176603320f7d8d835d47fbbc3bc37e4118e4ceaf

    Download Submit
  • C:\Users\Admin\M-5078860807246347675945\winmgr.exe
    Filesize

    262KB

    MD5

    dd3d297db386103f447b5eed0e62b408

    SHA1

    5685ac2294da0581d3e33037b151709d61a98f4b

    SHA256

    9d085fe596c5223d3250f38f9bbb0585f8555f281cc07f2ce883aeb806d6cf43

    SHA512

    3feb95985416ca6918e1d7d30bfe848e2019847cbf1ad3db4b194c229747a076945b81c605e368dac10451e0176603320f7d8d835d47fbbc3bc37e4118e4ceaf

    Download Submit
  • memory/1776-144-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1776-141-0x0000000000000000-mapping.dmp
    Download
  • memory/2396-135-0x0000000000400000-0x0000000001898000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/2396-132-0x0000000000400000-0x0000000001898000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/2396-133-0x0000000000400000-0x0000000001898000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/3512-137-0x0000000000000000-mapping.dmp
    Download
  • memory/3512-140-0x0000000000400000-0x0000000001898000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/3512-143-0x0000000000400000-0x0000000001898000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/4732-136-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/4732-134-0x0000000000000000-mapping.dmp
    Download