Overview

overview

10

Static

static

cf0177bf62...da.exe

windows7-x64

10

cf0177bf62...da.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf0177bf627b402d6b5c7d982c08b048b22b55a8188783081f4a184c85ab5cda.exe

  • Size

    198KB

  • MD5

    7beffa3c2e4abbe6464f42d6903fe8a3

  • SHA1

    8d9a9bf2671433d55288decd19e0d28a20b30edf

  • SHA256

    cf0177bf627b402d6b5c7d982c08b048b22b55a8188783081f4a184c85ab5cda

  • SHA512

    165ecfb6a773e76368fabb7fa5f057c29ec31eac15ee7e02b9b07637dfef3d8db2cdd5a5f3612a7a0fe87180b62e658c26bdc0c3384c059fd7ec4cc27af5ea7f

  • SSDEEP

    3072:edDvAv5nRN47EX5gsJz6GZrBQg8DEll65FwGKbzKDwh/sE03juWvWDAvq:Yy+iz1tS4lYKbccUECyWvxvq

Score
10/10
evasion

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 26 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:460
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1340
    • C:\Users\Admin\AppData\Local\Temp\cf0177bf627b402d6b5c7d982c08b048b22b55a8188783081f4a184c85ab5cda.exe
      "C:\Users\Admin\AppData\Local\Temp\cf0177bf627b402d6b5c7d982c08b048b22b55a8188783081f4a184c85ab5cda.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Deletes itself
        PID:1104

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \systemroot\Installer\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\@
    Filesize

    2KB

    MD5

    2eef41748beb2e197eafef324d4e010c

    SHA1

    efb34ab94dfebec38a61e625438ef3f9647f979a

    SHA256

    f5e907401f1e3ba377ae9bb5119f3e89d612f3c42944369662b124cb9d2fb2ce

    SHA512

    7547e1b57e01c04b9af185d09e8e9a83eea8ae15d81189f6921948bf5108f49ac2c7224e16d0bc449ff65ade10aebac252de62e2833a4a35042c4a47a9708657

    Download Submit

  • memory/460-67-0x00000000000F0000-0x00000000000FB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/460-72-0x0000000000130000-0x000000000013F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/460-56-0x0000000000120000-0x000000000012F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/460-60-0x0000000000120000-0x000000000012F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/460-64-0x0000000000120000-0x000000000012F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/460-71-0x00000000000F0000-0x00000000000FB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/460-68-0x0000000000130000-0x000000000013F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2044-54-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2044-70-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2044-66-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2044-55-0x0000000000230000-0x0000000000272000-memory.dmp

    Filesize

    264KB

    Download