Analysis

  • max time kernel
    151s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 08:14

General

  • Target

    6a6883cba3af716b2593447ddb61b2fac8cfa44ec3d4692675fa6f82ad31a931.exe

  • Size

    76KB

  • MD5

    a9323511953602f66c23091e62c3ed72

  • SHA1

    12b9be704c2390bf12e719c25ecc97baa5bd6fe8

  • SHA256

    6a6883cba3af716b2593447ddb61b2fac8cfa44ec3d4692675fa6f82ad31a931

  • SHA512

    0f872bfd43788ac4ea789875e85a92c088345057fcd7099aa4a8edef582165445c3bb73bff7f25e95e871b58bf8a80678242d0079a4b4550775ace61ded8ae06

  • SSDEEP

    1536:y2La14dKCK4U4R7Dt1hwtlLNIRh1nlDD6Y:yZ14dKCK4lR7Dt1I/efl36Y

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Users\Admin\AppData\Local\Temp\6a6883cba3af716b2593447ddb61b2fac8cfa44ec3d4692675fa6f82ad31a931.exe
      "C:\Users\Admin\AppData\Local\Temp\6a6883cba3af716b2593447ddb61b2fac8cfa44ec3d4692675fa6f82ad31a931.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Users\Admin\AppData\Local\Temp\6a6883cba3af716b2593447ddb61b2fac8cfa44ec3d4692675fa6f82ad31a931.exe
        "C:\Users\Admin\AppData\Local\Temp\6a6883cba3af716b2593447ddb61b2fac8cfa44ec3d4692675fa6f82ad31a931.exe"
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1756
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          4⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:1308
    • C:\Windows\syswow64\svchost.exe
      "C:\Windows\syswow64\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Windows\SysWOW64\ctfmon.exe
        ctfmon.exe
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:1052

Network

  • flag-unknown
    DNS
    tdzzf.ru
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    tdzzf.ru
    IN A
    Response
  • flag-unknown
    DNS
    cxcyp.su
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    cxcyp.su
    IN A
    Response
No results found
  • 8.8.8.8:53
    tdzzf.ru
    dns
    svchost.exe
    54 B
    115 B
    1
    1

    DNS Request

    tdzzf.ru

  • 8.8.8.8:53
    cxcyp.su
    dns
    svchost.exe
    54 B
    115 B
    1
    1

    DNS Request

    cxcyp.su

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/836-72-0x0000000000000000-mapping.dmp

  • memory/836-76-0x0000000000080000-0x0000000000089000-memory.dmp

    Filesize

    36KB

  • memory/836-74-0x0000000000080000-0x0000000000089000-memory.dmp

    Filesize

    36KB

  • memory/836-73-0x00000000756B1000-0x00000000756B3000-memory.dmp

    Filesize

    8KB

  • memory/836-71-0x0000000000080000-0x0000000000089000-memory.dmp

    Filesize

    36KB

  • memory/1052-75-0x0000000000000000-mapping.dmp

  • memory/1308-66-0x0000000000000000-mapping.dmp

  • memory/1308-70-0x0000000000030000-0x0000000000040000-memory.dmp

    Filesize

    64KB

  • memory/1308-69-0x00000000FFDA0000-0x0000000100060000-memory.dmp

    Filesize

    2.8MB

  • memory/1404-67-0x0000000002150000-0x0000000002159000-memory.dmp

    Filesize

    36KB

  • memory/1756-60-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

  • memory/1756-68-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

  • memory/1756-65-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

  • memory/1756-61-0x00000000004011E0-mapping.dmp

  • memory/1756-64-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

  • memory/1756-59-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

  • memory/1756-57-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

  • memory/1756-56-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

  • memory/1756-55-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

  • memory/1980-54-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/1980-62-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.