Overview

overview

7

Static

static

c743541d3f...75.exe

windows7-x64

7

c743541d3f...75.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 15:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe

  • Size

    538KB

  • MD5

    8bf1a7c0b986753dc55ac591fd87502e

  • SHA1

    74cf75aedaf4d8318639a554cb0f49b3e90eb585

  • SHA256

    c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475

  • SHA512

    8aab9a9cf7cdb7981e8d9be1ee10b079f4e1637d91adef41f6a28a357ba268ce1f751fd0e1ca3b3c87e61a8ca9f5d660321513e90b0d520b70fec2d6b0e15ff9

  • SSDEEP

    6144:+nk0yCBGRVvMBRDojcGncLgeVT92ZcsAxSHsaiHDbAB3i:sBy4GROoAL5VT9ycs1OG3

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    1⤵
      PID:1996
    • C:\Windows\system32\sppsvc.exe
      C:\Windows\system32\sppsvc.exe
      1⤵
        PID:1092
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Adds Run key to start application
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1296
        • C:\Users\Admin\AppData\Local\Temp\c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe
          "C:\Users\Admin\AppData\Local\Temp\c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe"
          2⤵
          • Loads dropped DLL
          • Adds Run key to start application
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1956
      • C:\Windows\System32\spoolsv.exe
        C:\Windows\System32\spoolsv.exe
        1⤵
          PID:336

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        4
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\SunkuMgogh\SunkuMgogh.dat
          Filesize

          264KB

          MD5

          687985564e3083815d0f80e652f8d045

          SHA1

          9e292e5ff1b6454ae048b2e0690412fb1d216ab6

          SHA256

          dda3060ddafaa8c1778d3b92a92c7fc6e39b373590b0693885a6d16709d13beb

          SHA512

          cdb3a9083097b4989fdce468e2ba672b1727d9e36a2db1005e6c712331918600cfa17e44d514bf16d98493cfd82714187575f09aab1b5f185d6654f0460c3153

          Download Submit
        • \ProgramData\SunkuMgogh\SunkuMgogh.dat
          Filesize

          264KB

          MD5

          687985564e3083815d0f80e652f8d045

          SHA1

          9e292e5ff1b6454ae048b2e0690412fb1d216ab6

          SHA256

          dda3060ddafaa8c1778d3b92a92c7fc6e39b373590b0693885a6d16709d13beb

          SHA512

          cdb3a9083097b4989fdce468e2ba672b1727d9e36a2db1005e6c712331918600cfa17e44d514bf16d98493cfd82714187575f09aab1b5f185d6654f0460c3153

          Download Submit
        • memory/336-60-0x0000000001C00000-0x0000000001C54000-memory.dmp
          Filesize

          336KB

          Download
        • memory/1296-73-0x00000000029D0000-0x0000000002A24000-memory.dmp
          Filesize

          336KB

          Download
        • memory/1296-74-0x0000000002B70000-0x0000000002BDB000-memory.dmp
          Filesize

          428KB

          Download
        • memory/1956-54-0x0000000075141000-0x0000000075143000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1956-55-0x0000000000400000-0x0000000000442000-memory.dmp
          Filesize

          264KB

          Download
        • memory/1956-58-0x0000000074840000-0x0000000074873000-memory.dmp
          Filesize

          204KB

          Download
        • memory/1956-71-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1956-72-0x0000000074840000-0x00000000748AB000-memory.dmp
          Filesize

          428KB

          Download
        • memory/1956-76-0x0000000074840000-0x0000000074873000-memory.dmp
          Filesize

          204KB

          Download
        • memory/1956-75-0x0000000000400000-0x0000000000442000-memory.dmp
          Filesize

          264KB

          Download