Overview

overview

9

Static

static

7eb6b2a702...20.exe

windows7-x64

9

7eb6b2a702...20.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 06:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7eb6b2a7023300666acd2778fcfb450a9fbe2572f4f5e80a665a3fb17a2c1620.exe

  • Size

    205KB

  • MD5

    a68fca7118b49b5cd23a4935961db414

  • SHA1

    b012adfbb775b9bdcb97f0f6499cef78c1d164eb

  • SHA256

    7eb6b2a7023300666acd2778fcfb450a9fbe2572f4f5e80a665a3fb17a2c1620

  • SHA512

    a079dd81d95867b5850a2c2752f2bff095d07da9dd3210559f2ecfa0ff2efe60208691e19c5a3d2c0110240adde35264546367b668d196baf037604ea28b9f54

  • SSDEEP

    6144:2tDhyn6LyqfdR5SeZo7N9PmRqV4Q+zSt+:2tDdfD5SIO9PmRGww+

Score
7/10
persistence

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7eb6b2a7023300666acd2778fcfb450a9fbe2572f4f5e80a665a3fb17a2c1620.exe
    "C:\Users\Admin\AppData\Local\Temp\7eb6b2a7023300666acd2778fcfb450a9fbe2572f4f5e80a665a3fb17a2c1620.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Users\Admin\AppData\Local\Temp\7eb6b2a7023300666acd2778fcfb450a9fbe2572f4f5e80a665a3fb17a2c1620.exe
      "C:\Users\Admin\AppData\Local\Temp\7eb6b2a7023300666acd2778fcfb450a9fbe2572f4f5e80a665a3fb17a2c1620.exe"
      2⤵
        PID:1704
      • C:\Users\Admin\AppData\Local\Temp\7eb6b2a7023300666acd2778fcfb450a9fbe2572f4f5e80a665a3fb17a2c1620.exe
        "C:\Users\Admin\AppData\Local\Temp\7eb6b2a7023300666acd2778fcfb450a9fbe2572f4f5e80a665a3fb17a2c1620.exe"
        2⤵
          PID:1896
        • C:\Users\Admin\AppData\Local\Temp\7eb6b2a7023300666acd2778fcfb450a9fbe2572f4f5e80a665a3fb17a2c1620.exe
          "C:\Users\Admin\AppData\Local\Temp\7eb6b2a7023300666acd2778fcfb450a9fbe2572f4f5e80a665a3fb17a2c1620.exe"
          2⤵
            PID:1680
          • C:\Users\Admin\AppData\Local\Temp\7eb6b2a7023300666acd2778fcfb450a9fbe2572f4f5e80a665a3fb17a2c1620.exe
            "C:\Users\Admin\AppData\Local\Temp\7eb6b2a7023300666acd2778fcfb450a9fbe2572f4f5e80a665a3fb17a2c1620.exe"
            2⤵
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1720
            • C:\Windows\SysWOW64\explorer.exe
              "C:\Windows\syswow64\explorer.exe"
              3⤵
              • Drops startup file
              • Adds Run key to start application
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:2744
              • C:\Windows\SysWOW64\svchost.exe
                -k netsvcs
                4⤵
                  PID:4728

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1720-133-0x0000000000000000-mapping.dmp
            Download
          • memory/1720-136-0x0000000000400000-0x0000000000425000-memory.dmp
            Filesize

            148KB

            Download
          • memory/2744-135-0x0000000000000000-mapping.dmp
            Download
          • memory/2744-137-0x00000000012E0000-0x0000000001305000-memory.dmp
            Filesize

            148KB

            Download
          • memory/3160-132-0x0000000074FF0000-0x00000000755A1000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/3160-134-0x0000000074FF0000-0x00000000755A1000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/4728-138-0x0000000000000000-mapping.dmp
            Download
          • memory/4728-139-0x0000000000470000-0x0000000000495000-memory.dmp
            Filesize

            148KB

            Download
          • memory/4728-140-0x0000000000470000-0x0000000000495000-memory.dmp
            Filesize

            148KB

            Download