Overview

overview

10

Static

static

917fa5baf4...62.exe

windows7-x64

917fa5baf4...62.exe

windows10-2004-x64

Analysis

  • max time kernel
    65s
  • max time network
    74s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 09:23

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe

  • Size

    81KB

  • MD5

    30cf084eeeb56ee7c01a2e214f348d76

  • SHA1

    2b43dfd8c398a4925ea66653d351f84af669d3e3

  • SHA256

    917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62

  • SHA512

    f94dc5a93122999ad35dd3c07bc0db08cfd88ad0e4dc55c7768b3d75e441f290d5a259237cf5401cbc407d50223eb513b03eb3d45f891872b0ff49be2f423f16

  • SSDEEP

    384:PJG14lR/NpKAN+UJfo8vJh/7neuwyv3ZUKcreuDreuwyv3ZUKcreuDz:RFtFe8vJtDeunUreufeunUreuf

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe
    "C:\Users\Admin\AppData\Local\Temp\917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4572
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winsock.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4808
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +s "C:\Windows\system32\winsock.exe"
        3⤵
        • Drops file in System32 directory
        • Views/modifies file attributes
        PID:4500
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winkernel32.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3388
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +s "C:\Windows\system32\winkernel32.exe"
        3⤵
        • Drops file in System32 directory
        • Views/modifies file attributes
        PID:4952
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c shutdown -r
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Windows\SysWOW64\shutdown.exe
        shutdown -r
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2024
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa399b055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:736

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\winkernel32.exe
    Filesize

    82KB

    MD5

    2d5f13ab450419daf51ea24c166a4643

    SHA1

    660314edf71170b4a356992cc80f517e7873baf3

    SHA256

    9d32a4555e55e433200cd6a17dafa745731e3b789a4d4252d67b595891267d39

    SHA512

    c7f2cba5763cca86bbc26104678c6f5f9af1435dca1783d3526f4b1d2c036ed9b7b7d09f22af0aeaa13cfda470a75b49781c556d6d39814ebec0ad1b3f00f503

    Download Submit

  • C:\Windows\SysWOW64\winsock.exe
    Filesize

    104KB

    MD5

    7f29eebbc3d0a02292dccfff0d58adb9

    SHA1

    5babae24a81020b742d2b7755cc4bd86e92b8dff

    SHA256

    f3964c3743e56479e18661e1f09eedcb1200e65978322fb5c26e25c4ecc7305f

    SHA512

    c0670a2eb2f5eb272dbd2b715ff1f4d47f9fcf99f54f77417e8829cb1430a802b4f45b96a7239660f338249c9fff3a72228476d544dfe798d106a97df9d65734

    Download Submit