Overview

overview

8

Static

static

0537eadb98...f7.exe

windows7-x64

8

0537eadb98...f7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    18s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    28/11/2022, 02:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0537eadb9870233d3e95c6658192dbf486e4617d2e8b646909c44584893c64f7.exe

  • Size

    64KB

  • MD5

    9995d81d4a2d5b4aff1e507b124c2e7c

  • SHA1

    5a7466fceb33fbf4474851e373b261dc7844e765

  • SHA256

    0537eadb9870233d3e95c6658192dbf486e4617d2e8b646909c44584893c64f7

  • SHA512

    f834dd2f753c72be01ff9ea33a6767f7c06fa963323974e6518648381460d4c4858005778ac6ddaa0c69c4076da4fb7d8bfd1f10dd5fe169b592773b63f1f1c0

  • SSDEEP

    768:PNnyHE+qM58rO3LSnkdplxMwTPpWh1T+2GqPJWwGOwnEEfFaz+:W3qVrsjpUwThxOgr

Score
8/10
persistence

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:476
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
      • Suspicious behavior: LoadsDriver
      PID:460
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
        2⤵
          PID:812
          • C:\Windows\system32\Dwm.exe
            "C:\Windows\system32\Dwm.exe"
            3⤵
              PID:1240
          • C:\Windows\System32\spoolsv.exe
            C:\Windows\System32\spoolsv.exe
            2⤵
              PID:1012
            • C:\Windows\system32\taskhost.exe
              "taskhost.exe"
              2⤵
                PID:1148
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                2⤵
                  PID:1112
                • C:\Windows\system32\sppsvc.exe
                  C:\Windows\system32\sppsvc.exe
                  2⤵
                    PID:1080
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                    2⤵
                      PID:1048
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k NetworkService
                      2⤵
                        PID:284
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        2⤵
                          PID:884
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          2⤵
                            PID:840
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                            2⤵
                              PID:760
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k RPCSS
                              2⤵
                                PID:676
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k DcomLaunch
                                2⤵
                                  PID:596
                              • C:\Windows\system32\winlogon.exe
                                winlogon.exe
                                1⤵
                                  PID:416
                                • C:\Windows\system32\csrss.exe
                                  %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                  1⤵
                                    PID:380
                                  • C:\Windows\system32\wininit.exe
                                    wininit.exe
                                    1⤵
                                      PID:368
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:484
                                      • C:\Windows\system32\csrss.exe
                                        %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                        1⤵
                                          PID:332
                                        • C:\Windows\System32\smss.exe
                                          \SystemRoot\System32\smss.exe
                                          1⤵
                                            PID:260
                                          • C:\Windows\system32\wbem\wmiprvse.exe
                                            C:\Windows\system32\wbem\wmiprvse.exe
                                            1⤵
                                              PID:852
                                            • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                                              wmiadap.exe /F /T /R
                                              1⤵
                                                PID:1996
                                              • C:\Windows\Explorer.EXE
                                                C:\Windows\Explorer.EXE
                                                1⤵
                                                  PID:1272
                                                  • C:\Users\Admin\AppData\Local\Temp\0537eadb9870233d3e95c6658192dbf486e4617d2e8b646909c44584893c64f7.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\0537eadb9870233d3e95c6658192dbf486e4617d2e8b646909c44584893c64f7.exe"
                                                    2⤵
                                                    • Drops file in Drivers directory
                                                    • Loads dropped DLL
                                                    • Drops file in System32 directory
                                                    • Drops file in Windows directory
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:848
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\0537eadb9870233d3e95c6658192dbf486e4617d2e8b646909c44584893c64f7.exe"
                                                      3⤵
                                                      • Deletes itself
                                                      PID:1236

                                                Network

                                                      MITRE ATT&CK Enterprise v6

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • \Users\Admin\AppData\Local\Temp\tmpB7DC.tmp
                                                        Filesize

                                                        10KB

                                                        MD5

                                                        02c63237b361181fac5374b021627b54

                                                        SHA1

                                                        e7ac4f718bbc45dc61b0c94218cd5ec413962701

                                                        SHA256

                                                        0ff7a2f7991408314c88984b4c345362cb1a07b708f7c05975cf027dd92c4522

                                                        SHA512

                                                        439e7d1b7c48154fa57a47f072cb5f160002205aaf88c4fe15ee05dd09141337bc373460228a4213b35ba310d10baf38bf62ee37cc8ddc7af7c8684db3432306

                                                        Download Submit

                                                      • memory/848-55-0x0000000010000000-0x0000000010027000-memory.dmp

                                                        Filesize

                                                        156KB

                                                        Download

                                                      • memory/848-57-0x0000000010000000-0x0000000010027000-memory.dmp

                                                        Filesize

                                                        156KB

                                                        Download