Overview

overview

8

Static

static

ef1826caa6...b4.exe

windows7-x64

8

ef1826caa6...b4.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    164s
  • max time network
    210s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2022 02:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef1826caa6ca65415e8ea5fcef32a1841f5c2580e5a08f219d902089aff395b4.exe

  • Size

    197KB

  • MD5

    959f14d00f19aa14ec823e83a7624153

  • SHA1

    b683798f3f43a99307d4351efc3953618d1360cf

  • SHA256

    ef1826caa6ca65415e8ea5fcef32a1841f5c2580e5a08f219d902089aff395b4

  • SHA512

    440f82635064bd759e464e3d1361c3b050c7ff47d44139b79141d601aa15c028f8a49fbb53a578ca73d07f41df3886b07ca1d15d18ce9e5377d291f9e94b8371

  • SSDEEP

    3072:cTqoWn7WlApz74iEbHjzA6qT7i7Aop+5jBH9qpqf/X+EmtWwGzcP95CYwFnjEKM:SqoWqq7GXU6vAQ+3eofu9

Score
8/10
persistence

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Unexpected DNS network traffic destination 8 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:464
  • C:\Users\Admin\AppData\Local\Temp\ef1826caa6ca65415e8ea5fcef32a1841f5c2580e5a08f219d902089aff395b4.exe
    "C:\Users\Admin\AppData\Local\Temp\ef1826caa6ca65415e8ea5fcef32a1841f5c2580e5a08f219d902089aff395b4.exe"
    1⤵
    • Registers COM server for autorun
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Deletes itself
      PID:552
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1252

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \systemroot\Installer\{8c508dde-2ce9-92e3-5b79-435a5d2d0943}\@
    Filesize

    2KB

    MD5

    28fb3771bef70a4db1b2a0c1db04493d

    SHA1

    1c8d647a14cb0bb1b6564539f332580a1817602a

    SHA256

    9d4d23dff1e6aace5c45d8d3263ebf20ead55294c04287c17bdc2dacf69b1cf6

    SHA512

    315ec38a8910daf347112e365600ada1611e3987acd1bb1bce4d44ab9c63d82e4ab8bc99b106f23a29f92e06f441f09e0ae0298846bbcf8500a798e51604b022

    Download Submit

  • memory/464-72-0x0000000000200000-0x000000000020F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/464-77-0x00000000001F0000-0x00000000001FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/464-78-0x0000000000210000-0x000000000021F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/464-76-0x0000000000200000-0x000000000020F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/464-83-0x0000000000210000-0x000000000021F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/464-82-0x00000000001F0000-0x00000000001FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1056-80-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1056-65-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1056-54-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1056-85-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1056-55-0x00000000002E0000-0x0000000000317000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1252-56-0x0000000002AB0000-0x0000000002ABF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1252-81-0x0000000002A90000-0x0000000002A9C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1252-64-0x0000000002AB0000-0x0000000002ABF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1252-60-0x0000000002AB0000-0x0000000002ABF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1252-67-0x0000000002AC0000-0x0000000002ACF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1252-66-0x0000000002A90000-0x0000000002A9C000-memory.dmp

    Filesize

    48KB

    Download