Overview

overview

8

Static

static

b20aa42ff1...5a.exe

windows7-x64

8

b20aa42ff1...5a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    205s
  • max time network
    211s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b20aa42ff17effd503ac1daf7a3a7c1c370daca475a7ad93baae56f4a0367d5a.exe

  • Size

    128KB

  • MD5

    600e0cf619fe61b4a167005d73682315

  • SHA1

    3aba6bfec5a715912d32830d555bd7f18e01ac28

  • SHA256

    b20aa42ff17effd503ac1daf7a3a7c1c370daca475a7ad93baae56f4a0367d5a

  • SHA512

    e5c49884406060c2ee29a74b2080600ecd5f16254182f8173c23d8c02ac9f9562958954454ffc88320a83154ce828aaab5f337cd6c33efd968ff42f86079f05f

  • SSDEEP

    3072:YbXC2nRetdfSp6TedEh03HzCz3EsT7n+xJ:YbyMhp6Ted603HzCzEsi

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b20aa42ff17effd503ac1daf7a3a7c1c370daca475a7ad93baae56f4a0367d5a.exe
    "C:\Users\Admin\AppData\Local\Temp\b20aa42ff17effd503ac1daf7a3a7c1c370daca475a7ad93baae56f4a0367d5a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Users\Admin\AppData\Local\Temp\b20aa42ff17effd503ac1daf7a3a7c1c370daca475a7ad93baae56f4a0367d5a.exe
      C:\Users\Admin\AppData\Local\Temp\b20aa42ff17effd503ac1daf7a3a7c1c370daca475a7ad93baae56f4a0367d5a.exe
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4532
      • C:\Users\Admin\AppData\Roaming\x9el0.exe
        C:\Users\Admin\AppData\Roaming\x9el0.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:5068
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 276
          4⤵
          • Program crash
          PID:1388
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 288
      2⤵
      • Program crash
      PID:2080
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1092 -ip 1092
    1⤵
      PID:1304
    • C:\Users\Admin\AppData\Roaming\x9el0.exe
      C:\Users\Admin\AppData\Roaming\x9el0.exe
      1⤵
      • Executes dropped EXE
      PID:2176
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 5068 -ip 5068
      1⤵
        PID:2172

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\x9el0.exe
        Filesize

        128KB

        MD5

        4d17b8f80f98ad1385f0cfedf0eb8123

        SHA1

        38c26305836e1d04df5f649b4c9b9a5427c3118c

        SHA256

        ca62c3d955eaaf993fc4ddb7791f3cad1a7611ffc3ca47d87b765001096d66c3

        SHA512

        e270adb510ec168b96502a479f934ffe8bf06d738d2d365a1865057411606fae86436dd0e1e7275dc643203a9e1a6b37e74c70b0584dfd672456228da910b570

        Download Submit

      • C:\Users\Admin\AppData\Roaming\x9el0.exe
        Filesize

        128KB

        MD5

        4d17b8f80f98ad1385f0cfedf0eb8123

        SHA1

        38c26305836e1d04df5f649b4c9b9a5427c3118c

        SHA256

        ca62c3d955eaaf993fc4ddb7791f3cad1a7611ffc3ca47d87b765001096d66c3

        SHA512

        e270adb510ec168b96502a479f934ffe8bf06d738d2d365a1865057411606fae86436dd0e1e7275dc643203a9e1a6b37e74c70b0584dfd672456228da910b570

        Download Submit

      • C:\Users\Admin\AppData\Roaming\x9el0.exe
        Filesize

        128KB

        MD5

        4d17b8f80f98ad1385f0cfedf0eb8123

        SHA1

        38c26305836e1d04df5f649b4c9b9a5427c3118c

        SHA256

        ca62c3d955eaaf993fc4ddb7791f3cad1a7611ffc3ca47d87b765001096d66c3

        SHA512

        e270adb510ec168b96502a479f934ffe8bf06d738d2d365a1865057411606fae86436dd0e1e7275dc643203a9e1a6b37e74c70b0584dfd672456228da910b570

        Download Submit

      • memory/2176-142-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/2176-147-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/2176-146-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/2176-145-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/2176-143-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/4532-135-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/4532-144-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/4532-134-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/4532-133-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download