Overview

overview

10

Static

static

72b3529157...f2.exe

windows7-x64

10

72b3529157...f2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    297s
  • max time network
    311s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 17:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72b352915720bc6f7e8c1f12489288f3dd3935eeeec0676bd0fdba8d71051af2.exe

  • Size

    184KB

  • MD5

    2f88dbb08adad835192dd10bcf0de3d0

  • SHA1

    e632684e46c58dd4c642912f40352eb41b93c732

  • SHA256

    72b352915720bc6f7e8c1f12489288f3dd3935eeeec0676bd0fdba8d71051af2

  • SHA512

    16d9a0beb0628265060010e5a2f7e66f435ee7e36015f67c263a6e8f531acb6096300978898527198c193342641aca4d15c8a3b899419c015b3e99828e8649ef

  • SSDEEP

    3072:uyYrBL2yxWmCzd2d87qix4OgUWvG47OJYcGbsQ74jaWsxSZTMZjp9Ryu50h8k:yRBxWvzM87DxJKwYcejWss2jp90a0N

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\72b352915720bc6f7e8c1f12489288f3dd3935eeeec0676bd0fdba8d71051af2.exe
    "C:\Users\Admin\AppData\Local\Temp\72b352915720bc6f7e8c1f12489288f3dd3935eeeec0676bd0fdba8d71051af2.exe"
    1⤵
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4568
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      2⤵
        PID:1968
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe http://www.google.com.tr/
        2⤵
          PID:1220
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall set opmode disable
          2⤵
          • Modifies Windows Firewall
          PID:5100
        • C:\Windows\SysWOW64\net.exe
          net stop security center
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4604
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop security center
            3⤵
              PID:2616
          • C:\Windows\SysWOW64\net.exe
            net stop WinDefend
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3148
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop WinDefend
              3⤵
                PID:4824
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:3620
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com.tr/
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4732
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x118,0x128,0x7fff698046f8,0x7fff69804708,0x7fff69804718
                3⤵
                  PID:1200

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads