Overview

overview

10

Static

static

a52b3d6de1...4b.exe

windows7-x64

10

a52b3d6de1...4b.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    151s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 03:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a52b3d6de13c19bc415282ea6084984720bf453a7b7347185f49e66946ddff4b.exe

  • Size

    69KB

  • MD5

    d8ff54c058c80f42c262124e0ad582a9

  • SHA1

    186c44abfeac9dbc7131ee6294168634b59c7a8d

  • SHA256

    a52b3d6de13c19bc415282ea6084984720bf453a7b7347185f49e66946ddff4b

  • SHA512

    8e4ad620b4e26f8955a03b0751b378b1b966359c63f0cdc9380dfff0587f0275584248242600fa3a5e5faae1ea41e88a2b792291cfc539e7de9c10a1e3a3a8b2

  • SSDEEP

    1536:OYEiFMLao04I0QoWQII3dRlObu8x7Q5I/R:XEiFvo04jQuP3ROK8xQ5Ip

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Users\Admin\AppData\Local\Temp\a52b3d6de13c19bc415282ea6084984720bf453a7b7347185f49e66946ddff4b.exe
      "C:\Users\Admin\AppData\Local\Temp\a52b3d6de13c19bc415282ea6084984720bf453a7b7347185f49e66946ddff4b.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Users\Admin\AppData\Local\Temp\a52b3d6de13c19bc415282ea6084984720bf453a7b7347185f49e66946ddff4b.exe
        "C:\Users\Admin\AppData\Local\Temp\a52b3d6de13c19bc415282ea6084984720bf453a7b7347185f49e66946ddff4b.exe"
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1076
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          4⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:1760
    • C:\Windows\syswow64\svchost.exe
      "C:\Windows\syswow64\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\SysWOW64\ctfmon.exe
        ctfmon.exe
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:820

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1076-70-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1076-55-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1076-56-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1076-57-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1076-59-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1076-60-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1076-64-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1076-65-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1296-67-0x00000000029D0000-0x00000000029D9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1420-71-0x0000000000080000-0x0000000000089000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1420-73-0x0000000075141000-0x0000000075143000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1420-75-0x0000000000080000-0x0000000000089000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1420-76-0x0000000000080000-0x0000000000089000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1760-68-0x00000000FFBB0000-0x00000000FFE70000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/1760-69-0x0000000000030000-0x0000000000040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1956-54-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1956-63-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download