Overview

overview

8

Static

static

e7daacd1cf...3b.exe

windows7-x64

8

e7daacd1cf...3b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    184s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 11:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7daacd1cfee0b8454ee1c79b031e3f9500c55a41742d4b697f2cea891b21e3b.exe

  • Size

    230KB

  • MD5

    559334a0652c9a9515646d53f162c74a

  • SHA1

    af776b529d366b8ede32cdf89f6b6c9ee244cf4d

  • SHA256

    e7daacd1cfee0b8454ee1c79b031e3f9500c55a41742d4b697f2cea891b21e3b

  • SHA512

    3d75339c9d8beefc220dd9237195d2fd231325382c3864efe787aaf30b707096bfc2171a6f0ecb02c62de265d7d2556a2095b7ac835e4fc40b2295fa311abc2d

  • SSDEEP

    3072:baSYvUVNpjftP8S4MDdfjKoskYWIqGrVbWHAQXEpQoRhqd9tsWtZbd+t0fqKi3Hu:bh9f5GSfEiTtsWTx0HHAQdZEe

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 9 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7daacd1cfee0b8454ee1c79b031e3f9500c55a41742d4b697f2cea891b21e3b.exe
    "C:\Users\Admin\AppData\Local\Temp\e7daacd1cfee0b8454ee1c79b031e3f9500c55a41742d4b697f2cea891b21e3b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h "C:\Users\Admin\AppData\Local\Temp\e7daacd1cfee0b8454ee1c79b031e3f9500c55a41742d4b697f2cea891b21e3b.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:568
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Users\Admin\AppData\Local\Temp\e7daacd1cfee0b8454ee1c79b031e3f9500c55a41742d4b697f2cea891b21e3b.exe"
        3⤵
        • Views/modifies file attributes
        PID:1032
    • C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
      "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:308
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
          4⤵
          • Views/modifies file attributes
          PID:1568
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:524
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
          4⤵
          • Views/modifies file attributes
          PID:1944
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h "C:\Users\Admin\AppData\Roaming\Windows\config.ini"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1436
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Users\Admin\AppData\Roaming\Windows\config.ini"
          4⤵
          • Views/modifies file attributes
          PID:1172
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h "C:\Users\Admin\AppData\Roaming\Windows\cfg"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Users\Admin\AppData\Roaming\Windows\cfg"
          4⤵
          • Views/modifies file attributes
          PID:1884
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h "."
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:612
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "."
          4⤵
          • Views/modifies file attributes
          PID:1404
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h ".."
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h ".."
          4⤵
          • Views/modifies file attributes
          PID:1728
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h "config.ini"
        3⤵
          PID:1292
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h "config.ini"
            4⤵
            • Views/modifies file attributes
            PID:1392
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c attrib +h "winlogin.exe"
          3⤵
            PID:1148
            • C:\Windows\SysWOW64\attrib.exe
              attrib +h "winlogin.exe"
              4⤵
              • Views/modifies file attributes
              PID:1340

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Windows\config.ini
        Filesize

        23B

        MD5

        3686ce48884a1cfe6d8baf44e718983e

        SHA1

        ec7cac48f16c7123435570a99226c5bbe42f9d61

        SHA256

        9dad5b913773a0736ff50ea369c59d616b123dd284d7b3399f20920229a6e9a2

        SHA512

        b256487c217c698d2bef6fd389b399fe88b5d91e08bbf2467c92e08468f9f63419adfb6c28157a9309a952fb75c01b6621ba85318b1a3b692ffe24931f129528

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
        Filesize

        230KB

        MD5

        559334a0652c9a9515646d53f162c74a

        SHA1

        af776b529d366b8ede32cdf89f6b6c9ee244cf4d

        SHA256

        e7daacd1cfee0b8454ee1c79b031e3f9500c55a41742d4b697f2cea891b21e3b

        SHA512

        3d75339c9d8beefc220dd9237195d2fd231325382c3864efe787aaf30b707096bfc2171a6f0ecb02c62de265d7d2556a2095b7ac835e4fc40b2295fa311abc2d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
        Filesize

        230KB

        MD5

        559334a0652c9a9515646d53f162c74a

        SHA1

        af776b529d366b8ede32cdf89f6b6c9ee244cf4d

        SHA256

        e7daacd1cfee0b8454ee1c79b031e3f9500c55a41742d4b697f2cea891b21e3b

        SHA512

        3d75339c9d8beefc220dd9237195d2fd231325382c3864efe787aaf30b707096bfc2171a6f0ecb02c62de265d7d2556a2095b7ac835e4fc40b2295fa311abc2d

        Download Submit

      • \Users\Admin\AppData\Roaming\Windows\winlogin.exe
        Filesize

        230KB

        MD5

        559334a0652c9a9515646d53f162c74a

        SHA1

        af776b529d366b8ede32cdf89f6b6c9ee244cf4d

        SHA256

        e7daacd1cfee0b8454ee1c79b031e3f9500c55a41742d4b697f2cea891b21e3b

        SHA512

        3d75339c9d8beefc220dd9237195d2fd231325382c3864efe787aaf30b707096bfc2171a6f0ecb02c62de265d7d2556a2095b7ac835e4fc40b2295fa311abc2d

        Download Submit

      • memory/308-61-0x0000000000000000-mapping.dmp

        Download

      • memory/524-64-0x0000000000000000-mapping.dmp

        Download

      • memory/568-55-0x0000000000000000-mapping.dmp

        Download

      • memory/612-71-0x0000000000000000-mapping.dmp

        Download

      • memory/960-54-0x0000000075E61000-0x0000000075E63000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1032-56-0x0000000000000000-mapping.dmp

        Download

      • memory/1148-77-0x0000000000000000-mapping.dmp

        Download

      • memory/1172-67-0x0000000000000000-mapping.dmp

        Download

      • memory/1292-75-0x0000000000000000-mapping.dmp

        Download

      • memory/1340-78-0x0000000000000000-mapping.dmp

        Download

      • memory/1380-73-0x0000000000000000-mapping.dmp

        Download

      • memory/1392-76-0x0000000000000000-mapping.dmp

        Download

      • memory/1404-72-0x0000000000000000-mapping.dmp

        Download

      • memory/1436-66-0x0000000000000000-mapping.dmp

        Download

      • memory/1560-58-0x0000000000000000-mapping.dmp

        Download

      • memory/1568-62-0x0000000000000000-mapping.dmp

        Download

      • memory/1728-74-0x0000000000000000-mapping.dmp

        Download

      • memory/1764-69-0x0000000000000000-mapping.dmp

        Download

      • memory/1884-70-0x0000000000000000-mapping.dmp

        Download

      • memory/1944-65-0x0000000000000000-mapping.dmp

        Download