Overview

overview

10

Static

static

f72037a07d...fa.exe

windows7-x64

10

f72037a07d...fa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f72037a07dc05e19826d9354a8b11e6006a6a545604fc134bf615908fdf47dfa.exe

  • Size

    230KB

  • MD5

    af24764584267de44e98dfde976b0191

  • SHA1

    4fd84c0c2cbe6affc2e09d55d897889664a71da6

  • SHA256

    f72037a07dc05e19826d9354a8b11e6006a6a545604fc134bf615908fdf47dfa

  • SHA512

    45cd5a58cdbcc9643043378512a564561bda7e2f0403bc710e7de1a35f5b1a4abd2ed4dd3a2ee0a6c7787a297198d87ca8ef843b54c2dbf44c37f1fbce742987

  • SSDEEP

    3072:lcb/0w4wde92SXNDuq6SNtPcXHJxmjNcgmOlq07FFnJYIt0DEgv9OlnPJ2JRDXeH:ls/BfUiq64hNcgb33n2IsGnP0JJe

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 17 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f72037a07dc05e19826d9354a8b11e6006a6a545604fc134bf615908fdf47dfa.exe
    "C:\Users\Admin\AppData\Local\Temp\f72037a07dc05e19826d9354a8b11e6006a6a545604fc134bf615908fdf47dfa.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Users\Admin\AppData\Local\Temp\f72037a07dc05e19826d9354a8b11e6006a6a545604fc134bf615908fdf47dfa.exe
      "C:\Users\Admin\AppData\Local\Temp\f72037a07dc05e19826d9354a8b11e6006a6a545604fc134bf615908fdf47dfa.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\WINDÎWS\åõðlîrår.exe
        C:\WINDÎWS\åõðlîrår.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\WINDÎWS\åõðlîrår.exe
          C:\WINDÎWS\åõðlîrår.exe
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1384
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM explorer.exe
            5⤵
            • Kills process with taskkill
            PID:1492
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1252
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x5a4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1564
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1280
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1816
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    PID:988
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
      PID:1912

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\WINDÎWS\åõðlîrår.exe
      Filesize

      230KB

      MD5

      af24764584267de44e98dfde976b0191

      SHA1

      4fd84c0c2cbe6affc2e09d55d897889664a71da6

      SHA256

      f72037a07dc05e19826d9354a8b11e6006a6a545604fc134bf615908fdf47dfa

      SHA512

      45cd5a58cdbcc9643043378512a564561bda7e2f0403bc710e7de1a35f5b1a4abd2ed4dd3a2ee0a6c7787a297198d87ca8ef843b54c2dbf44c37f1fbce742987

      Download Submit

    • C:\WINDÎWS\åõðlîrår.exe
      Filesize

      230KB

      MD5

      af24764584267de44e98dfde976b0191

      SHA1

      4fd84c0c2cbe6affc2e09d55d897889664a71da6

      SHA256

      f72037a07dc05e19826d9354a8b11e6006a6a545604fc134bf615908fdf47dfa

      SHA512

      45cd5a58cdbcc9643043378512a564561bda7e2f0403bc710e7de1a35f5b1a4abd2ed4dd3a2ee0a6c7787a297198d87ca8ef843b54c2dbf44c37f1fbce742987

      Download Submit

    • C:\WINDÎWS\åõðlîrår.exe
      Filesize

      230KB

      MD5

      af24764584267de44e98dfde976b0191

      SHA1

      4fd84c0c2cbe6affc2e09d55d897889664a71da6

      SHA256

      f72037a07dc05e19826d9354a8b11e6006a6a545604fc134bf615908fdf47dfa

      SHA512

      45cd5a58cdbcc9643043378512a564561bda7e2f0403bc710e7de1a35f5b1a4abd2ed4dd3a2ee0a6c7787a297198d87ca8ef843b54c2dbf44c37f1fbce742987

      Download Submit

    • \WINDÎWS\åõðlîrår.exe
      Filesize

      230KB

      MD5

      af24764584267de44e98dfde976b0191

      SHA1

      4fd84c0c2cbe6affc2e09d55d897889664a71da6

      SHA256

      f72037a07dc05e19826d9354a8b11e6006a6a545604fc134bf615908fdf47dfa

      SHA512

      45cd5a58cdbcc9643043378512a564561bda7e2f0403bc710e7de1a35f5b1a4abd2ed4dd3a2ee0a6c7787a297198d87ca8ef843b54c2dbf44c37f1fbce742987

      Download Submit

    • \WINDÎWS\åõðlîrår.exe
      Filesize

      230KB

      MD5

      af24764584267de44e98dfde976b0191

      SHA1

      4fd84c0c2cbe6affc2e09d55d897889664a71da6

      SHA256

      f72037a07dc05e19826d9354a8b11e6006a6a545604fc134bf615908fdf47dfa

      SHA512

      45cd5a58cdbcc9643043378512a564561bda7e2f0403bc710e7de1a35f5b1a4abd2ed4dd3a2ee0a6c7787a297198d87ca8ef843b54c2dbf44c37f1fbce742987

      Download Submit

    • \WINDÎWS\åõðlîrår.exe
      Filesize

      230KB

      MD5

      af24764584267de44e98dfde976b0191

      SHA1

      4fd84c0c2cbe6affc2e09d55d897889664a71da6

      SHA256

      f72037a07dc05e19826d9354a8b11e6006a6a545604fc134bf615908fdf47dfa

      SHA512

      45cd5a58cdbcc9643043378512a564561bda7e2f0403bc710e7de1a35f5b1a4abd2ed4dd3a2ee0a6c7787a297198d87ca8ef843b54c2dbf44c37f1fbce742987

      Download Submit

    • memory/1252-70-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1384-96-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1384-99-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1572-60-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1572-69-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1572-63-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1572-61-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1572-67-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1572-58-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1572-54-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1572-57-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1572-55-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1572-65-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1572-97-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1572-68-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download