Overview

overview

10

Static

static

cca0575190...8e.exe

windows7-x64

10

cca0575190...8e.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    134s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cca05751903294ebd93629d331d25bfd2706bbc07ff4ed121141855862f4658e.exe

  • Size

    228KB

  • MD5

    0a6678f8421116ddd57ea116c104b062

  • SHA1

    514b5eaa79e2ac1049d09ecce555a59e9ea388e1

  • SHA256

    cca05751903294ebd93629d331d25bfd2706bbc07ff4ed121141855862f4658e

  • SHA512

    82ff67dcd5bf7ac3b5286248ee3a0105bcaacb4d3cd6387c4bdb99877017bd46efa250d6286d802a59502a59475bbb00590173d64dccadbc592ceea151294ec2

  • SSDEEP

    6144:MBO8MDptfN0zKcOOYHliCBQb+F/irkJbj9DvD:h8MrqKckl9eyFuubj9DvD

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 5 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cca05751903294ebd93629d331d25bfd2706bbc07ff4ed121141855862f4658e.exe
    "C:\Users\Admin\AppData\Local\Temp\cca05751903294ebd93629d331d25bfd2706bbc07ff4ed121141855862f4658e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Users\Admin\AppData\Local\Temp\cca05751903294ebd93629d331d25bfd2706bbc07ff4ed121141855862f4658e.exe
      "C:\Users\Admin\AppData\Local\Temp\cca05751903294ebd93629d331d25bfd2706bbc07ff4ed121141855862f4658e.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:872
      • C:\Users\Admin\AppData\Roaming\Ipys\evil.exe
        "C:\Users\Admin\AppData\Roaming\Ipys\evil.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Users\Admin\AppData\Roaming\Ipys\evil.exe
          "C:\Users\Admin\AppData\Roaming\Ipys\evil.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1336
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\SysWOW64\explorer.exe"
            5⤵
            • Modifies firewall policy service
            • Deletes itself
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1172
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1264
    • C:\Program Files\Windows Mail\WinMail.exe
      "C:\Program Files\Windows Mail\WinMail.exe" -Embedding
      1⤵
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:572

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Ipys\evil.exe
      Filesize

      228KB

      MD5

      a0725d5d7ac096fe42666fb0485a3164

      SHA1

      32b9bb8912a5677e669796827294224754a1fc89

      SHA256

      bca4a6c98d2f8f73c405219d1341def2690aeb290a90a9b2f2954d7d77c838aa

      SHA512

      9a1cb7325eaa0a8a159d30b6ad10c2d56bf9b43ca2f9c0eb24b9f3aff76bb86c0d1d2a7c7866a0d222b319fb6f72f9c532e552b0af10906114a82861455eb456

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Ipys\evil.exe
      Filesize

      228KB

      MD5

      a0725d5d7ac096fe42666fb0485a3164

      SHA1

      32b9bb8912a5677e669796827294224754a1fc89

      SHA256

      bca4a6c98d2f8f73c405219d1341def2690aeb290a90a9b2f2954d7d77c838aa

      SHA512

      9a1cb7325eaa0a8a159d30b6ad10c2d56bf9b43ca2f9c0eb24b9f3aff76bb86c0d1d2a7c7866a0d222b319fb6f72f9c532e552b0af10906114a82861455eb456

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Ipys\evil.exe
      Filesize

      228KB

      MD5

      a0725d5d7ac096fe42666fb0485a3164

      SHA1

      32b9bb8912a5677e669796827294224754a1fc89

      SHA256

      bca4a6c98d2f8f73c405219d1341def2690aeb290a90a9b2f2954d7d77c838aa

      SHA512

      9a1cb7325eaa0a8a159d30b6ad10c2d56bf9b43ca2f9c0eb24b9f3aff76bb86c0d1d2a7c7866a0d222b319fb6f72f9c532e552b0af10906114a82861455eb456

      Download Submit

    • \Users\Admin\AppData\Roaming\Ipys\evil.exe
      Filesize

      228KB

      MD5

      a0725d5d7ac096fe42666fb0485a3164

      SHA1

      32b9bb8912a5677e669796827294224754a1fc89

      SHA256

      bca4a6c98d2f8f73c405219d1341def2690aeb290a90a9b2f2954d7d77c838aa

      SHA512

      9a1cb7325eaa0a8a159d30b6ad10c2d56bf9b43ca2f9c0eb24b9f3aff76bb86c0d1d2a7c7866a0d222b319fb6f72f9c532e552b0af10906114a82861455eb456

      Download Submit

    • memory/572-108-0x0000000002180000-0x0000000002190000-memory.dmp

      Filesize

      64KB

      Download

    • memory/572-102-0x0000000001E90000-0x0000000001EA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/572-101-0x000007FEF66A1000-0x000007FEF66A3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/572-100-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp

      Filesize

      8KB

      Download

    • memory/872-65-0x00000000004037FF-mapping.dmp

      Download

    • memory/872-99-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/872-69-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/872-71-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/872-72-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/872-55-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/872-68-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/872-56-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/872-58-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/872-64-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/872-62-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/872-60-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1016-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1016-67-0x0000000000230000-0x000000000024D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1172-97-0x0000000000080000-0x00000000000AD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1172-95-0x0000000074D01000-0x0000000074D03000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1172-93-0x0000000000000000-mapping.dmp

      Download

    • memory/1336-96-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1336-98-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1336-87-0x00000000004037FF-mapping.dmp

      Download

    • memory/1488-74-0x0000000000000000-mapping.dmp

      Download