Overview

overview

10

Static

static

7eb4b2ff20...71.exe

windows7-x64

10

7eb4b2ff20...71.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 02:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7eb4b2ff20637235069ef71e625a46665ffd695e35bb6716a0aaf51bd11e4071.exe

  • Size

    304KB

  • MD5

    10b9f58bc5186e251dd106b9a967dbf6

  • SHA1

    c091c0eaccd0a770b8df622cb3faf5b189e5fdcf

  • SHA256

    7eb4b2ff20637235069ef71e625a46665ffd695e35bb6716a0aaf51bd11e4071

  • SHA512

    21c9c0cec68a4b0830e80a0e19aa3a0e3a934ea4d4daf7280d378e094b3311a747e62e4367b3abe7dc3a5184638ffdd8a49242726aaa7fdf352804bda637ef60

  • SSDEEP

    3072:JRj2d7pRRRMRRRb7HietvTss3XXD8Eq3GBsoeswwA/mdm04yKr7Td6:yp7eHtHEgD8Eq8E3Gm04yG

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 10 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7eb4b2ff20637235069ef71e625a46665ffd695e35bb6716a0aaf51bd11e4071.exe
    "C:\Users\Admin\AppData\Local\Temp\7eb4b2ff20637235069ef71e625a46665ffd695e35bb6716a0aaf51bd11e4071.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\7eb4b2ff20637235069ef71e625a46665ffd695e35bb6716a0aaf51bd11e4071.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7eb4b2ff20637235069ef71e625a46665ffd695e35bb6716a0aaf51bd11e4071.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3816
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\7eb4b2ff20637235069ef71e625a46665ffd695e35bb6716a0aaf51bd11e4071.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7eb4b2ff20637235069ef71e625a46665ffd695e35bb6716a0aaf51bd11e4071.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:3200
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:2400
    • C:\Users\Admin\AppData\Local\Temp\7eb4b2ff20637235069ef71e625a46665ffd695e35bb6716a0aaf51bd11e4071.exe
      "C:\Users\Admin\AppData\Local\Temp\7eb4b2ff20637235069ef71e625a46665ffd695e35bb6716a0aaf51bd11e4071.exe"
      2⤵
      • Adds policy Run key to start application
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4648
      • C:\Windows\svchost.exe
        "C:\Windows\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3408
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:1860
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\svchost.exe" /t REG_SZ /d "C:\Windows\svchost.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3700
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\svchost.exe" /t REG_SZ /d "C:\Windows\svchost.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:3380
        • C:\Windows\svchost.exe
          "C:\Windows\svchost.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:4888

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\svchost.exe
    Filesize

    304KB

    MD5

    10b9f58bc5186e251dd106b9a967dbf6

    SHA1

    c091c0eaccd0a770b8df622cb3faf5b189e5fdcf

    SHA256

    7eb4b2ff20637235069ef71e625a46665ffd695e35bb6716a0aaf51bd11e4071

    SHA512

    21c9c0cec68a4b0830e80a0e19aa3a0e3a934ea4d4daf7280d378e094b3311a747e62e4367b3abe7dc3a5184638ffdd8a49242726aaa7fdf352804bda637ef60

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    304KB

    MD5

    10b9f58bc5186e251dd106b9a967dbf6

    SHA1

    c091c0eaccd0a770b8df622cb3faf5b189e5fdcf

    SHA256

    7eb4b2ff20637235069ef71e625a46665ffd695e35bb6716a0aaf51bd11e4071

    SHA512

    21c9c0cec68a4b0830e80a0e19aa3a0e3a934ea4d4daf7280d378e094b3311a747e62e4367b3abe7dc3a5184638ffdd8a49242726aaa7fdf352804bda637ef60

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    304KB

    MD5

    10b9f58bc5186e251dd106b9a967dbf6

    SHA1

    c091c0eaccd0a770b8df622cb3faf5b189e5fdcf

    SHA256

    7eb4b2ff20637235069ef71e625a46665ffd695e35bb6716a0aaf51bd11e4071

    SHA512

    21c9c0cec68a4b0830e80a0e19aa3a0e3a934ea4d4daf7280d378e094b3311a747e62e4367b3abe7dc3a5184638ffdd8a49242726aaa7fdf352804bda637ef60

    Download Submit

  • memory/1860-160-0x0000000000000000-mapping.dmp

    Download

  • memory/2400-142-0x0000000000000000-mapping.dmp

    Download

  • memory/2968-150-0x0000000000000000-mapping.dmp

    Download

  • memory/3200-143-0x0000000000000000-mapping.dmp

    Download

  • memory/3380-159-0x0000000000000000-mapping.dmp

    Download

  • memory/3408-145-0x0000000000000000-mapping.dmp

    Download

  • memory/3408-157-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/3412-132-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/3412-140-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/3700-151-0x0000000000000000-mapping.dmp

    Download

  • memory/3816-136-0x0000000000000000-mapping.dmp

    Download

  • memory/4468-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4648-138-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/4648-137-0x0000000000000000-mapping.dmp

    Download

  • memory/4648-144-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/4648-158-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/4648-141-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/4888-152-0x0000000000000000-mapping.dmp

    Download

  • memory/4888-161-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download