Overview

overview

10

Static

static

f6daca44da...45.exe

windows7-x64

10

f6daca44da...45.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    153s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 11:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f6daca44daa22744db69585aaaae78f3b6549fcacc0d67125d5092a0f15a1945.exe

  • Size

    274KB

  • MD5

    e3bf490f08ba1c4169819a74461fc464

  • SHA1

    55d16e7f656251339b570484c8e86c586cd26586

  • SHA256

    f6daca44daa22744db69585aaaae78f3b6549fcacc0d67125d5092a0f15a1945

  • SHA512

    d2ab30ac9a3486cc256a0e9731d346e34a5bee5325e212086a0182e706f592245927c02224fdc9c9651c10eccafdb63f42e7bfb1d8de7900643f8d518fa9bc5c

  • SSDEEP

    6144:3HrnR2l+o+APC1BQLHgXvLIw0uiNNfYSyM2FqRHmZQcoqAkR5:3HMl+dAOQEIwSNfYNM2F5ZZoPkR5

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6daca44daa22744db69585aaaae78f3b6549fcacc0d67125d5092a0f15a1945.exe
    "C:\Users\Admin\AppData\Local\Temp\f6daca44daa22744db69585aaaae78f3b6549fcacc0d67125d5092a0f15a1945.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:964

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\AppPatch\svchost.exe
          Filesize

          274KB

          MD5

          811185698f0169e8a19f0dc719459eeb

          SHA1

          773eafccaee3818e42005fe68293ed142ed9d41f

          SHA256

          c1929039b23d1763ed83ad003a846a9b01bbf924afec314a78b0f5ba766afc58

          SHA512

          fa6a10f088f44a2747bc031022e130c70804d7761523ce0aae6e61c5d5f7dc8fba690eb834e453cb08183f76242b7605c05262ceb176c8a8200be40415766f8b

          Download Submit

        • C:\Windows\apppatch\svchost.exe
          Filesize

          274KB

          MD5

          811185698f0169e8a19f0dc719459eeb

          SHA1

          773eafccaee3818e42005fe68293ed142ed9d41f

          SHA256

          c1929039b23d1763ed83ad003a846a9b01bbf924afec314a78b0f5ba766afc58

          SHA512

          fa6a10f088f44a2747bc031022e130c70804d7761523ce0aae6e61c5d5f7dc8fba690eb834e453cb08183f76242b7605c05262ceb176c8a8200be40415766f8b

          Download Submit

        • \Windows\AppPatch\svchost.exe
          Filesize

          274KB

          MD5

          811185698f0169e8a19f0dc719459eeb

          SHA1

          773eafccaee3818e42005fe68293ed142ed9d41f

          SHA256

          c1929039b23d1763ed83ad003a846a9b01bbf924afec314a78b0f5ba766afc58

          SHA512

          fa6a10f088f44a2747bc031022e130c70804d7761523ce0aae6e61c5d5f7dc8fba690eb834e453cb08183f76242b7605c05262ceb176c8a8200be40415766f8b

          Download Submit

        • \Windows\AppPatch\svchost.exe
          Filesize

          274KB

          MD5

          811185698f0169e8a19f0dc719459eeb

          SHA1

          773eafccaee3818e42005fe68293ed142ed9d41f

          SHA256

          c1929039b23d1763ed83ad003a846a9b01bbf924afec314a78b0f5ba766afc58

          SHA512

          fa6a10f088f44a2747bc031022e130c70804d7761523ce0aae6e61c5d5f7dc8fba690eb834e453cb08183f76242b7605c05262ceb176c8a8200be40415766f8b

          Download Submit

        • memory/964-63-0x0000000000400000-0x00000000004B9000-memory.dmp

          Filesize

          740KB

          Download

        • memory/964-65-0x0000000000660000-0x00000000006FC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/964-66-0x0000000000660000-0x00000000006DB000-memory.dmp

          Filesize

          492KB

          Download

        • memory/964-68-0x00000000006AF000-0x00000000006FC000-memory.dmp

          Filesize

          308KB

          Download

        • memory/964-70-0x0000000000660000-0x00000000006DB000-memory.dmp

          Filesize

          492KB

          Download

        • memory/964-72-0x0000000001F00000-0x0000000002B4A000-memory.dmp

          Filesize

          12.3MB

          Download

        • memory/964-73-0x0000000000400000-0x00000000004B9000-memory.dmp

          Filesize

          740KB

          Download

        • memory/1816-57-0x0000000000400000-0x00000000004B9000-memory.dmp

          Filesize

          740KB

          Download

        • memory/1816-56-0x0000000002030000-0x0000000002C7A000-memory.dmp

          Filesize

          12.3MB

          Download

        • memory/1816-54-0x0000000075511000-0x0000000075513000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1816-64-0x0000000000400000-0x00000000004B9000-memory.dmp

          Filesize

          740KB

          Download

        • memory/1816-55-0x0000000000400000-0x00000000004B9000-memory.dmp

          Filesize

          740KB

          Download