Overview

overview

8

Static

static

6009a425bf...dc.exe

windows7-x64

8

6009a425bf...dc.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    170s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 21:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6009a425bf85982c62ccf8297d4e8808a6ad855f248b96f02116b707175783dc.exe

  • Size

    483KB

  • MD5

    082ba9caf9a8bb47690e15713dc0767d

  • SHA1

    4240f04cbc25816f02a434f73416a6438fe1235c

  • SHA256

    6009a425bf85982c62ccf8297d4e8808a6ad855f248b96f02116b707175783dc

  • SHA512

    bc98426cbfe9ac5ed015ab1b841ffb6422117e47b6b088eb424e2ccfa327b6027908a268fccdc71dd5dd5730f8cd8832421b5cf98d898b71eeab5d1325dd1af7

  • SSDEEP

    12288:PH/D9lSj7eGkTfsx5vzQt6jKew9lSj7eGkTfsx5vzQt6jKa:Pr9A32fsxJzQtyKJ9A32fsxJzQtyKa

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6009a425bf85982c62ccf8297d4e8808a6ad855f248b96f02116b707175783dc.exe
    "C:\Users\Admin\AppData\Local\Temp\6009a425bf85982c62ccf8297d4e8808a6ad855f248b96f02116b707175783dc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Users\Admin\AppData\Local\Temp\6009a425bf85982c62ccf8297d4e8808a6ad855f248b96f02116b707175783dc.exe
      "C:\Users\Admin\AppData\Local\Temp\6009a425bf85982c62ccf8297d4e8808a6ad855f248b96f02116b707175783dc.exe"
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Users\Admin\AppData\Roaming\Adymf\xuma.exe
        "C:\Users\Admin\AppData\Roaming\Adymf\xuma.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Users\Admin\AppData\Roaming\Adymf\xuma.exe
          "C:\Users\Admin\AppData\Roaming\Adymf\xuma.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1932
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1ccf695a.bat"
        3⤵
        • Deletes itself
        PID:1756
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1420
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1364
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1260
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "-758819449-1324412901-1241252627-25441830175320628-98242187-14929936411147370683"
          1⤵
            PID:1360
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            1⤵
              PID:920
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              1⤵
                PID:1488

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\tmp1ccf695a.bat
                Filesize

                307B

                MD5

                a06e9a733e1a6c6acda1a3ddbd204cec

                SHA1

                9880a61fccc1ca8a58f74e1645d6a2c383d35f96

                SHA256

                c55ed482bdc4764f9f79403fd32211728a6e278cdf2d38fca2362095889fa3af

                SHA512

                6d62a0331a1451291d56937cace6ab05463905a81350cc5a4bba40eab2e319132e834aa0d13672d1f7d64751476ebd0f9c275986f2a3df9dae378bb87c3d485d

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Adymf\xuma.exe
                Filesize

                483KB

                MD5

                c61d60110779f202934719a5777d6338

                SHA1

                4cd33dc8214ce9ff146e9814c8a9d0ae2a84e7fe

                SHA256

                a5f5949c593c70cff25fdecf1a90073f099942680bc9feb04faf5c69aa1fa9d7

                SHA512

                720fb838999d66d908ba38d00387c21686cd51ec518253e1db8c182192d76ebf0e450a70a0c0ad59d4134ca8bdee88fd11721c4d723b65b2e714419cd8597776

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Adymf\xuma.exe
                Filesize

                483KB

                MD5

                c61d60110779f202934719a5777d6338

                SHA1

                4cd33dc8214ce9ff146e9814c8a9d0ae2a84e7fe

                SHA256

                a5f5949c593c70cff25fdecf1a90073f099942680bc9feb04faf5c69aa1fa9d7

                SHA512

                720fb838999d66d908ba38d00387c21686cd51ec518253e1db8c182192d76ebf0e450a70a0c0ad59d4134ca8bdee88fd11721c4d723b65b2e714419cd8597776

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Adymf\xuma.exe
                Filesize

                483KB

                MD5

                c61d60110779f202934719a5777d6338

                SHA1

                4cd33dc8214ce9ff146e9814c8a9d0ae2a84e7fe

                SHA256

                a5f5949c593c70cff25fdecf1a90073f099942680bc9feb04faf5c69aa1fa9d7

                SHA512

                720fb838999d66d908ba38d00387c21686cd51ec518253e1db8c182192d76ebf0e450a70a0c0ad59d4134ca8bdee88fd11721c4d723b65b2e714419cd8597776

                Download Submit
              • \Users\Admin\AppData\Roaming\Adymf\xuma.exe
                Filesize

                483KB

                MD5

                c61d60110779f202934719a5777d6338

                SHA1

                4cd33dc8214ce9ff146e9814c8a9d0ae2a84e7fe

                SHA256

                a5f5949c593c70cff25fdecf1a90073f099942680bc9feb04faf5c69aa1fa9d7

                SHA512

                720fb838999d66d908ba38d00387c21686cd51ec518253e1db8c182192d76ebf0e450a70a0c0ad59d4134ca8bdee88fd11721c4d723b65b2e714419cd8597776

                Download Submit
              • memory/920-122-0x00000000002B0000-0x00000000002D7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/920-123-0x00000000002B0000-0x00000000002D7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/920-124-0x00000000002B0000-0x00000000002D7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/920-121-0x00000000002B0000-0x00000000002D7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1260-86-0x0000000001D30000-0x0000000001D57000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1260-87-0x0000000001D30000-0x0000000001D57000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1260-85-0x0000000001D30000-0x0000000001D57000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1260-88-0x0000000001D30000-0x0000000001D57000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1364-93-0x0000000001AE0000-0x0000000001B07000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1364-91-0x0000000001AE0000-0x0000000001B07000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1364-95-0x0000000001AE0000-0x0000000001B07000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1364-92-0x0000000001AE0000-0x0000000001B07000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1420-100-0x0000000002270000-0x0000000002297000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1420-98-0x0000000002270000-0x0000000002297000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1420-101-0x0000000002270000-0x0000000002297000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1420-99-0x0000000002270000-0x0000000002297000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1488-130-0x0000000003A50000-0x0000000003A77000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1488-129-0x0000000003A50000-0x0000000003A77000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1488-127-0x0000000003A50000-0x0000000003A77000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1488-128-0x0000000003A50000-0x0000000003A77000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1648-63-0x0000000000400000-0x0000000000427000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1648-109-0x0000000000400000-0x0000000000427000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1648-106-0x0000000002900000-0x0000000002927000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1648-66-0x0000000000400000-0x0000000000427000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1648-65-0x0000000000400000-0x0000000000427000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1648-107-0x0000000002900000-0x0000000002927000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1648-62-0x0000000000413048-mapping.dmp
                Download
              • memory/1648-105-0x0000000002900000-0x0000000002927000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1648-104-0x0000000002900000-0x0000000002927000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1648-110-0x0000000002900000-0x0000000002927000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1648-61-0x0000000000400000-0x0000000000427000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1648-55-0x0000000000400000-0x0000000000427000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1648-59-0x0000000000400000-0x0000000000427000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1648-58-0x0000000000400000-0x0000000000427000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1708-54-0x0000000076121000-0x0000000076123000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1756-114-0x0000000000080000-0x00000000000A7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1756-116-0x0000000000080000-0x00000000000A7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1756-115-0x0000000000080000-0x00000000000A7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1756-113-0x0000000000080000-0x00000000000A7000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1756-108-0x0000000000000000-mapping.dmp
                Download
              • memory/1932-94-0x0000000000400000-0x0000000000427000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1932-78-0x0000000000413048-mapping.dmp
                Download
              • memory/1932-131-0x0000000000400000-0x0000000000427000-memory.dmp
                Filesize

                156KB

                Download
              • memory/1948-68-0x0000000000000000-mapping.dmp
                Download