Overview

overview

8

Static

static

b117661242...e1.exe

windows7-x64

8

b117661242...e1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    143s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 05:45 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b11766124297a438824722730f1ba092416ec4d7db71ddbd81268270078688e1.exe

  • Size

    120KB

  • MD5

    ce864d665393355666a25c3e9111d60e

  • SHA1

    bc8aef867c2d8dbe9de85635c6cba394d5243d1a

  • SHA256

    b11766124297a438824722730f1ba092416ec4d7db71ddbd81268270078688e1

  • SHA512

    9ad6dc0169bf55af045e2cd2fcaa49b54dad77627d490d6e9c6343f630ac29cda03d8696a2eea286c5a1636d0b2a3ce65468dedea3216b0432c510e0a3234e13

  • SSDEEP

    1536:Hzo1wMcVaVj2ZyD0IexGyvtvgFohDP4gDmPnO1DYZMVE44dV+uNjghpOl:Hzo1wMgaVyggIexGcoFoh5TW3V+uN/l

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b11766124297a438824722730f1ba092416ec4d7db71ddbd81268270078688e1.exe
    "C:\Users\Admin\AppData\Local\Temp\b11766124297a438824722730f1ba092416ec4d7db71ddbd81268270078688e1.exe"
    1⤵
    • Adds policy Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4760

Network

  • flag-unknown
    DNS
    reg.163.com
    b11766124297a438824722730f1ba092416ec4d7db71ddbd81268270078688e1.exe
    Remote address:
    8.8.8.8:53
    Request
    reg.163.com
    IN A
    Response
    reg.163.com
    IN CNAME
    regonly.urs.ntes53.netease.com
    regonly.urs.ntes53.netease.com
    IN A
    103.126.92.196
    regonly.urs.ntes53.netease.com
    IN A
    103.126.92.197
  • flag-unknown
    DNS
    smtp.163.com
    b11766124297a438824722730f1ba092416ec4d7db71ddbd81268270078688e1.exe
    Remote address:
    8.8.8.8:53
    Request
    smtp.163.com
    IN A
    Response
    smtp.163.com
    IN A
    123.126.97.113
  • flag-unknown
    DNS
    AllocateCaptchaIp.mm-road.com
    b11766124297a438824722730f1ba092416ec4d7db71ddbd81268270078688e1.exe
    Remote address:
    8.8.8.8:53
    Request
    AllocateCaptchaIp.mm-road.com
    IN A
    Response
  • flag-unknown
    DNS
    AllocateCaptchaIp.mm-road.com
    b11766124297a438824722730f1ba092416ec4d7db71ddbd81268270078688e1.exe
    Remote address:
    8.8.8.8:53
    Request
    AllocateCaptchaIp.mm-road.com
    IN A
    Response
  • 93.184.220.29:80
    322 B
     7
  • 13.69.109.130:443
    322 B
     7
  • 104.80.225.205:443
    322 B
     7
  • 8.8.8.8:53
    reg.163.com
    dns
    b11766124297a438824722730f1ba092416ec4d7db71ddbd81268270078688e1.exe
    57 B
     130 B
     1
    1

    DNS Request

    reg.163.com

    DNS Response

    103.126.92.196
    103.126.92.197

  • 8.8.8.8:53
    smtp.163.com
    dns
    b11766124297a438824722730f1ba092416ec4d7db71ddbd81268270078688e1.exe
    58 B
     74 B
     1
    1

    DNS Request

    smtp.163.com

    DNS Response

    123.126.97.113

  • 8.8.8.8:53
    AllocateCaptchaIp.mm-road.com
    dns
    b11766124297a438824722730f1ba092416ec4d7db71ddbd81268270078688e1.exe
    75 B
     148 B
     1
    1

    DNS Request

    AllocateCaptchaIp.mm-road.com

  • 8.8.8.8:53
    AllocateCaptchaIp.mm-road.com
    dns
    b11766124297a438824722730f1ba092416ec4d7db71ddbd81268270078688e1.exe
    75 B
     148 B
     1
    1

    DNS Request

    AllocateCaptchaIp.mm-road.com

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.