Overview

overview

10

Static

static

c487c034b3...59.exe

windows7-x64

10

c487c034b3...59.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    45s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c487c034b38da0d62ad30164da4dfb8fba6de9a29a5134d3219bd351a8260d59.exe

  • Size

    181KB

  • MD5

    58dc37641751d74c7a14b427a87917a8

  • SHA1

    8c4ded583f5e806309240c04c35a58507bd4230f

  • SHA256

    c487c034b38da0d62ad30164da4dfb8fba6de9a29a5134d3219bd351a8260d59

  • SHA512

    1653a8b8adca6b0d8f4a0d58216bb940686d6bbcb1cd8dcfa40ee181f45ce6cee1ccdfff135cb3ea34e553b0236d6d2d633b99e8c64611cde31506752586190a

  • SSDEEP

    3072:a1wDmmKd/2TMV66KD+ZlU6RDvvvW9tDMtEG0f1exA1eYjYda9wUfIPGZr8i1fyiL:l9MQ69lU4TYwr0f1r1eUb9pfkGh8i1fx

Score
10/10
evasion

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 26 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:468
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\c487c034b38da0d62ad30164da4dfb8fba6de9a29a5134d3219bd351a8260d59.exe
      "C:\Users\Admin\AppData\Local\Temp\c487c034b38da0d62ad30164da4dfb8fba6de9a29a5134d3219bd351a8260d59.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Deletes itself
        PID:1124

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \systemroot\Installer\{a31e499c-3c7c-222a-40fd-7fc6e142514c}\@
    Filesize

    2KB

    MD5

    52e50773355022ecf1761ca6ca713d6e

    SHA1

    16d896e8050d5b51cf489b87168f1a10c1e5f9ed

    SHA256

    f18f7663854087b420debd10a629819e323275f9292961a200c4314416d3dbc9

    SHA512

    5d12300190af2af4a97d4f889ef06b78aa2b4a5a6902cf434713ec495553d80933f21f0e60d03303b9ee4f2995363e392eb324a1a823f78c5a59765bd9129d72

    Download Submit

  • memory/468-64-0x0000000000090000-0x000000000009F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/468-69-0x0000000000080000-0x000000000008B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/468-74-0x00000000000A0000-0x00000000000AF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/468-68-0x0000000000090000-0x000000000009F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/468-60-0x0000000000090000-0x000000000009F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/468-73-0x0000000000080000-0x000000000008B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/468-70-0x00000000000A0000-0x00000000000AF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1660-59-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1660-54-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1660-71-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1660-55-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1660-56-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1660-58-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1660-57-0x0000000000230000-0x0000000000278000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1660-76-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download