Overview

overview

10

Static

static

f4bd7ad1e9...31.exe

windows7-x64

10

f4bd7ad1e9...31.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    196s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 06:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe

  • Size

    114KB

  • MD5

    7583749fdc248fa02181f92fff511229

  • SHA1

    8fd8a257c5f9d3b1efa153fd29074fe0408ac33b

  • SHA256

    f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31

  • SHA512

    7f30f80109325f73e7fcf19114a97fa2d2dfa9c01fa5a94a6289dfdff9f3b1231195a2dbbd5557c5eff2f4c68ccd4978aa05b1df1b6f4509c9786b55b1d5ebca

  • SSDEEP

    3072:e3m/d2UIagDojIxXR92PUsDVRqp1aW0CUCQxYDbHjLr:z2jaao0QnCoY3/r

Score
10/10
evasion

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 26 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:460
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe
      "C:\Users\Admin\AppData\Local\Temp\f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Deletes itself
        PID:564

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \systemroot\Installer\{8c508dde-2ce9-92e3-5b79-435a5d2d0943}\@
    Filesize

    2KB

    MD5

    df34aaeb1c6624dcb4d1d96c069aac80

    SHA1

    534ba0909c06204000f381589f8dae494cf6541b

    SHA256

    1168ce5df5d2ad309bb33f96b49433fee3bb3784c56975b1e902326c3d430ec3

    SHA512

    7e72dfea34b6ebff34286cb67630a8068b1a262210a2baed98a4747dc780d077dfbe77a6a7aa0c97976fd59fb465d6f867e9b4a77271f0e68c68314df5985aab

    Download Submit
  • memory/460-54-0x0000000000080000-0x000000000008F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/460-58-0x0000000000080000-0x000000000008F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/460-62-0x0000000000080000-0x000000000008F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/460-64-0x0000000000070000-0x000000000007B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/460-65-0x0000000000090000-0x000000000009F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/460-66-0x0000000000070000-0x000000000007B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/460-67-0x0000000000090000-0x000000000009F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/564-68-0x0000000000000000-mapping.dmp
    Download