Overview

overview

10

Static

static

9005436ea8...62.exe

windows7-x64

10

9005436ea8...62.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    182s
  • max time network
    219s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 09:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62.exe

  • Size

    742KB

  • MD5

    39c0e005cd2892a7b315081f9db6dc37

  • SHA1

    e9c2dda548ca0f53939d8bbf9228a92977964341

  • SHA256

    9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62

  • SHA512

    e5b258b62685152ba0387a280a27957c6cd78848d31a7cd65089c0c8dbd0d59d65089f702fe0dd8e759a27c2974219f9c170ba67c6457a4725a8b09dc69ce77e

  • SSDEEP

    12288:T2359uMww1bLO6ejFn8KL8XdChu/FiMZgi7hLEsOYt4ZmwjHCmac95RDOqruN2mE:S5p126wFn8KL8tz4MZHVLJtimSimHROY

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Windows\system32\backgroundTaskHost.exe
      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
      2⤵
        PID:4704
      • C:\Windows\system32\BackgroundTransferHost.exe
        "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
        2⤵
          PID:3112
        • C:\Windows\system32\wbem\wmiprvse.exe
          C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          2⤵
            PID:1332
        • C:\Users\Admin\AppData\Local\Temp\9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62.exe
          "C:\Users\Admin\AppData\Local\Temp\9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62.exe"
          1⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3500
        • C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe
          C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe
          1⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2132

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\SoftwareDistribution\miylefa
          Filesize

          654B

          MD5

          9b5857ca9bc850209e1f9c4865e7f8eb

          SHA1

          bc75ac6040f802c702c6753f995616a86e73f50a

          SHA256

          7c0cc0fdddc1848ee9d7ec32d737df87547fc5e97b7df4c26f6b6d5cee7fdba1

          SHA512

          eb6ecf5811ed53f6c9d0d575cc957493b8170e58f81a3a551b88b16ce83809f1c435e8ab8c96f4fc7e43e89541e941972ebac72be1cd7d8a7ebdc84306bb4a8a

          Download Submit
        • C:\ProgramData\SoftwareDistribution\miylefa
          Filesize

          654B

          MD5

          9b5857ca9bc850209e1f9c4865e7f8eb

          SHA1

          bc75ac6040f802c702c6753f995616a86e73f50a

          SHA256

          7c0cc0fdddc1848ee9d7ec32d737df87547fc5e97b7df4c26f6b6d5cee7fdba1

          SHA512

          eb6ecf5811ed53f6c9d0d575cc957493b8170e58f81a3a551b88b16ce83809f1c435e8ab8c96f4fc7e43e89541e941972ebac72be1cd7d8a7ebdc84306bb4a8a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe
          Filesize

          742KB

          MD5

          39c0e005cd2892a7b315081f9db6dc37

          SHA1

          e9c2dda548ca0f53939d8bbf9228a92977964341

          SHA256

          9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62

          SHA512

          e5b258b62685152ba0387a280a27957c6cd78848d31a7cd65089c0c8dbd0d59d65089f702fe0dd8e759a27c2974219f9c170ba67c6457a4725a8b09dc69ce77e

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe
          Filesize

          742KB

          MD5

          39c0e005cd2892a7b315081f9db6dc37

          SHA1

          e9c2dda548ca0f53939d8bbf9228a92977964341

          SHA256

          9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62

          SHA512

          e5b258b62685152ba0387a280a27957c6cd78848d31a7cd65089c0c8dbd0d59d65089f702fe0dd8e759a27c2974219f9c170ba67c6457a4725a8b09dc69ce77e

          Download Submit
        • memory/804-142-0x0000000013360000-0x00000000133D7000-memory.dmp
          Filesize

          476KB

          Download
        • memory/1332-147-0x0000000000000000-mapping.dmp
          Download
        • memory/2132-141-0x0000000001460000-0x00000000016AB000-memory.dmp
          Filesize

          2.3MB

          Download
        • memory/3112-146-0x0000000000000000-mapping.dmp
          Download
        • memory/3500-132-0x0000000000400000-0x00000000004BC000-memory.dmp
          Filesize

          752KB

          Download
        • memory/3500-135-0x0000000002940000-0x0000000002B8B000-memory.dmp
          Filesize

          2.3MB

          Download
        • memory/3500-134-0x0000000002720000-0x000000000293A000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3500-133-0x0000000000401000-0x00000000004A5000-memory.dmp
          Filesize

          656KB

          Download
        • memory/4704-145-0x0000000000000000-mapping.dmp
          Download