Overview

overview

8

Static

static

e7daacd1cf...3b.exe

windows7-x64

8

e7daacd1cf...3b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    295s
  • max time network
    304s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 11:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7daacd1cfee0b8454ee1c79b031e3f9500c55a41742d4b697f2cea891b21e3b.exe

  • Size

    230KB

  • MD5

    559334a0652c9a9515646d53f162c74a

  • SHA1

    af776b529d366b8ede32cdf89f6b6c9ee244cf4d

  • SHA256

    e7daacd1cfee0b8454ee1c79b031e3f9500c55a41742d4b697f2cea891b21e3b

  • SHA512

    3d75339c9d8beefc220dd9237195d2fd231325382c3864efe787aaf30b707096bfc2171a6f0ecb02c62de265d7d2556a2095b7ac835e4fc40b2295fa311abc2d

  • SSDEEP

    3072:baSYvUVNpjftP8S4MDdfjKoskYWIqGrVbWHAQXEpQoRhqd9tsWtZbd+t0fqKi3Hu:bh9f5GSfEiTtsWTx0HHAQdZEe

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Views/modifies file attributes 1 TTPs 9 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7daacd1cfee0b8454ee1c79b031e3f9500c55a41742d4b697f2cea891b21e3b.exe
    "C:\Users\Admin\AppData\Local\Temp\e7daacd1cfee0b8454ee1c79b031e3f9500c55a41742d4b697f2cea891b21e3b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h "C:\Users\Admin\AppData\Local\Temp\e7daacd1cfee0b8454ee1c79b031e3f9500c55a41742d4b697f2cea891b21e3b.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3708
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Users\Admin\AppData\Local\Temp\e7daacd1cfee0b8454ee1c79b031e3f9500c55a41742d4b697f2cea891b21e3b.exe"
        3⤵
        • Views/modifies file attributes
        PID:4028
    • C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
      "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4408
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
          4⤵
          • Views/modifies file attributes
          PID:2756
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4592
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
          4⤵
          • Views/modifies file attributes
          PID:3388
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h "C:\Users\Admin\AppData\Roaming\Windows\config.ini"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3376
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Users\Admin\AppData\Roaming\Windows\config.ini"
          4⤵
          • Views/modifies file attributes
          PID:2052
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h "C:\Users\Admin\AppData\Roaming\Windows\cfg"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3300
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Users\Admin\AppData\Roaming\Windows\cfg"
          4⤵
          • Views/modifies file attributes
          PID:4212
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h "."
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3444
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "."
          4⤵
          • Views/modifies file attributes
          PID:2980
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h ".."
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3868
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h ".."
          4⤵
          • Views/modifies file attributes
          PID:2244
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h "config.ini"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4452
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "config.ini"
          4⤵
          • Views/modifies file attributes
          PID:1652
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h "winlogin.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1416
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "winlogin.exe"
          4⤵
          • Views/modifies file attributes
          PID:4252

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Windows\config.ini
    Filesize

    23B

    MD5

    3686ce48884a1cfe6d8baf44e718983e

    SHA1

    ec7cac48f16c7123435570a99226c5bbe42f9d61

    SHA256

    9dad5b913773a0736ff50ea369c59d616b123dd284d7b3399f20920229a6e9a2

    SHA512

    b256487c217c698d2bef6fd389b399fe88b5d91e08bbf2467c92e08468f9f63419adfb6c28157a9309a952fb75c01b6621ba85318b1a3b692ffe24931f129528

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
    Filesize

    230KB

    MD5

    559334a0652c9a9515646d53f162c74a

    SHA1

    af776b529d366b8ede32cdf89f6b6c9ee244cf4d

    SHA256

    e7daacd1cfee0b8454ee1c79b031e3f9500c55a41742d4b697f2cea891b21e3b

    SHA512

    3d75339c9d8beefc220dd9237195d2fd231325382c3864efe787aaf30b707096bfc2171a6f0ecb02c62de265d7d2556a2095b7ac835e4fc40b2295fa311abc2d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
    Filesize

    230KB

    MD5

    559334a0652c9a9515646d53f162c74a

    SHA1

    af776b529d366b8ede32cdf89f6b6c9ee244cf4d

    SHA256

    e7daacd1cfee0b8454ee1c79b031e3f9500c55a41742d4b697f2cea891b21e3b

    SHA512

    3d75339c9d8beefc220dd9237195d2fd231325382c3864efe787aaf30b707096bfc2171a6f0ecb02c62de265d7d2556a2095b7ac835e4fc40b2295fa311abc2d

    Download Submit

  • memory/1416-153-0x0000000000000000-mapping.dmp

    Download

  • memory/1652-152-0x0000000000000000-mapping.dmp

    Download

  • memory/2052-143-0x0000000000000000-mapping.dmp

    Download

  • memory/2244-150-0x0000000000000000-mapping.dmp

    Download

  • memory/2492-138-0x0000000000000000-mapping.dmp

    Download

  • memory/2756-139-0x0000000000000000-mapping.dmp

    Download

  • memory/2980-148-0x0000000000000000-mapping.dmp

    Download

  • memory/3300-145-0x0000000000000000-mapping.dmp

    Download

  • memory/3376-142-0x0000000000000000-mapping.dmp

    Download

  • memory/3388-141-0x0000000000000000-mapping.dmp

    Download

  • memory/3444-147-0x0000000000000000-mapping.dmp

    Download

  • memory/3708-133-0x0000000000000000-mapping.dmp

    Download

  • memory/3868-149-0x0000000000000000-mapping.dmp

    Download

  • memory/4028-134-0x0000000000000000-mapping.dmp

    Download

  • memory/4212-146-0x0000000000000000-mapping.dmp

    Download

  • memory/4252-154-0x0000000000000000-mapping.dmp

    Download

  • memory/4408-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4452-151-0x0000000000000000-mapping.dmp

    Download

  • memory/4592-140-0x0000000000000000-mapping.dmp

    Download