Overview

overview

10

Static

static

6eb5f18896...15.exe

windows7-x64

10

6eb5f18896...15.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    164s
  • max time network
    193s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2022, 08:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6eb5f18896abf80b4038bc6650196d8017959bd6963af27225f2e10762497615.exe

  • Size

    178KB

  • MD5

    727cf305772860abd334c71d7bc36059

  • SHA1

    ed9da02796cec03459453485dd44858dda180938

  • SHA256

    6eb5f18896abf80b4038bc6650196d8017959bd6963af27225f2e10762497615

  • SHA512

    26ab7384dbff320132d4d9501456d3ef88e5045cfdf48ef097849f61fab4ea8655e8c07c3d3926500c07e0ddd33291005c7c926db4596e96c600de58a6c6c56a

  • SSDEEP

    3072:5lZeYd+OK4GoCsMQFG+jpAjhMLtnpSjX/1UTyHXgBmJQHOmBODE6TGquD5csHUHK:5rld+O6slgGpmhMhUjaXBQQdB2Cb3LF3

Score
10/10
evasion

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 26 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:460
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1284
    • C:\Users\Admin\AppData\Local\Temp\6eb5f18896abf80b4038bc6650196d8017959bd6963af27225f2e10762497615.exe
      "C:\Users\Admin\AppData\Local\Temp\6eb5f18896abf80b4038bc6650196d8017959bd6963af27225f2e10762497615.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1140
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Deletes itself
        PID:1988

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \systemroot\Installer\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\@
    Filesize

    2KB

    MD5

    65cedd9a38f543f68bc5fc3b73530130

    SHA1

    dfc15ba0f232349bbad3631250a5f3c11f19e50d

    SHA256

    7da66402c78e584b5db02a04e64eea958e050058e0d6d74068c4c4a41693e320

    SHA512

    d553775e2896926f68973bb93bbd8d04743eef75f109414a825266dd612eaefaaa94575f22d449494cb6ec61b588eb73d0135935bcd439eefcce50ba77ef9017

    Download Submit

  • memory/460-69-0x0000000000230000-0x000000000023B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/460-59-0x0000000000460000-0x000000000046F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/460-55-0x0000000000460000-0x000000000046F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/460-66-0x0000000000230000-0x000000000023B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/460-67-0x0000000000470000-0x000000000047F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/460-63-0x0000000000460000-0x000000000046F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/460-70-0x0000000000470000-0x000000000047F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1140-65-0x00000000001B0000-0x00000000001DF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1140-64-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1140-54-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1140-72-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download