Overview

overview

8

Static

static

821f4a17d3...53.exe

windows7-x64

8

821f4a17d3...53.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    101s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 02:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    821f4a17d32edfd60fe2f72371eb256e82b874a384154cc96916670718630b53.exe

  • Size

    184KB

  • MD5

    a7b874e729944aef06c30c45c79cb5a2

  • SHA1

    7cf6f932d9db67cb41594d525f0fdacb1eb8aa7a

  • SHA256

    821f4a17d32edfd60fe2f72371eb256e82b874a384154cc96916670718630b53

  • SHA512

    97745485da5a25d850a274ba3af6ae2f1d875e8a5ef19e6ff17b2f413c9488b903d83ad8d86e8d4c6f98f2543ba9419d169322ce5c8d96a93d4e9142923e1054

  • SSDEEP

    3072:GpYV4vTyGXE8RqiGc0ggKTL02m6MOOVY8evilv2YtRW6zdkDkjTq8Zr1z8ChzGlc:XiWGNp0gHX0CVS2YWIJgC

Score
8/10
persistence

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Unexpected DNS network traffic destination 16 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1376
      • C:\Users\Admin\AppData\Local\Temp\821f4a17d32edfd60fe2f72371eb256e82b874a384154cc96916670718630b53.exe
        "C:\Users\Admin\AppData\Local\Temp\821f4a17d32edfd60fe2f72371eb256e82b874a384154cc96916670718630b53.exe"
        2⤵
        • Registers COM server for autorun
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Deletes itself
          PID:824

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • \systemroot\Installer\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\@
            Filesize

            2KB

            MD5

            e91a7f6efda1013a18efb89e2b325dc8

            SHA1

            887f6d4dc5cf5701887c97b5d09a6864df49e01f

            SHA256

            e90c60814b17e2b491a8d5d9252ce82206e94b4f357048416272367d787be79c

            SHA512

            eb7679d7448197bf496fdf16b640341848e14b0ddc829c29ab71997fb0fc54356d910fae8b806c5ef9c2c67d184a9d3992883a8445d1e013e363e49849d3a7cc

            Download Submit

          • memory/464-82-0x0000000000080000-0x0000000000088000-memory.dmp

            Filesize

            32KB

            Download

          • memory/464-75-0x00000000001B0000-0x00000000001BC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/464-77-0x0000000000080000-0x0000000000088000-memory.dmp

            Filesize

            32KB

            Download

          • memory/464-83-0x0000000000240000-0x000000000024C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/464-78-0x0000000000240000-0x000000000024C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/464-71-0x00000000001B0000-0x00000000001BC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1376-66-0x0000000002770000-0x000000000277C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1376-56-0x0000000002760000-0x000000000276C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1376-64-0x0000000002760000-0x000000000276C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1376-81-0x0000000002720000-0x0000000002728000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1376-65-0x0000000002720000-0x0000000002728000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1376-60-0x0000000002760000-0x000000000276C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1504-55-0x0000000000296000-0x00000000002C3000-memory.dmp

            Filesize

            180KB

            Download

          • memory/1504-79-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/1504-80-0x0000000000296000-0x00000000002C3000-memory.dmp

            Filesize

            180KB

            Download

          • memory/1504-54-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/1504-86-0x0000000000296000-0x00000000002C3000-memory.dmp

            Filesize

            180KB

            Download

          • memory/1504-85-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download