Overview

overview

8

Static

static

9e4a21031c...69.exe

windows7-x64

8

9e4a21031c...69.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2022 05:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e4a21031c25ac26d85803bd904c4f3ba2816648b7d264ff9d2b919fca499169.exe

  • Size

    218KB

  • MD5

    83a82a2522657fb6f48627e7b8ccb13a

  • SHA1

    bef78c9433849c4b3052f8ad1b103d7fef9a4724

  • SHA256

    9e4a21031c25ac26d85803bd904c4f3ba2816648b7d264ff9d2b919fca499169

  • SHA512

    d8e82b483eeb8de9d9625096aec3bad317e3e02fc45540f35b9ecd794c7c3e997954472ccb0a0fb2867e94020fe60229033b84592f91b087fa7b4ce6d0f72d6d

  • SSDEEP

    6144:TU9zKH8b4cWRB0Obi51CcCCGWFALoidMUc+:TI6cSaFvCC6LoidTc

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:336
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:876
  • C:\Users\Admin\AppData\Local\Temp\9e4a21031c25ac26d85803bd904c4f3ba2816648b7d264ff9d2b919fca499169.exe
    "C:\Users\Admin\AppData\Local\Temp\9e4a21031c25ac26d85803bd904c4f3ba2816648b7d264ff9d2b919fca499169.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Deletes itself
      PID:700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system32\consrv.dll
    Filesize

    53KB

    MD5

    63e99b675a1337db6d8430195ea3efd2

    SHA1

    1baead2bf8f433dc82f9b2c03fd65ce697a92155

    SHA256

    6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

    SHA512

    f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

    Download Submit

  • \??\globalroot\systemroot\assembly\temp\@
    Filesize

    2KB

    MD5

    20a8d16991f4a89f342b57513f0a77c2

    SHA1

    5c3f246c6f9549070d5813047f63e5e0c001f98c

    SHA256

    4640fcb56c593743257c3b787d175a1f2d706dfd7bf7b2db74cba20813c2b041

    SHA512

    67933838fdb6ea357ca60e82775d8d91ba6c66ce158d3a4fbed99d471a638b7403e89ed4cbc4733a52b5e40b4951c385fb5d12cc31950f9c6e2e01891b7d233f

    Download Submit

  • \Windows\System32\consrv.dll
    Filesize

    53KB

    MD5

    63e99b675a1337db6d8430195ea3efd2

    SHA1

    1baead2bf8f433dc82f9b2c03fd65ce697a92155

    SHA256

    6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

    SHA512

    f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

    Download Submit

  • memory/336-78-0x0000000001EC0000-0x0000000001ED2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/876-103-0x00000000008D0000-0x00000000008DB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/876-102-0x00000000008B0000-0x00000000008B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/876-96-0x00000000008D0000-0x00000000008DB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/876-95-0x00000000008B0000-0x00000000008B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/876-93-0x00000000008C0000-0x00000000008CB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/876-89-0x00000000008C0000-0x00000000008CB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/876-85-0x00000000008C0000-0x00000000008CB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1552-68-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1552-82-0x0000000000381000-0x0000000000394000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1552-73-0x0000000000380000-0x00000000003B7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1552-71-0x00000000003C0000-0x00000000003F7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1552-77-0x0000000000380000-0x00000000003B7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1552-70-0x00000000003C0000-0x00000000003F7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1552-80-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1552-69-0x0000000000381000-0x0000000000394000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1552-81-0x0000000000220000-0x0000000000276000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1552-74-0x0000000000380000-0x00000000003B7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1552-83-0x0000000000380000-0x00000000003B7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1552-84-0x00000000003C0000-0x00000000003F7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1552-54-0x0000000075681000-0x0000000075683000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1552-67-0x0000000000380000-0x00000000003B7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1552-66-0x0000000000380000-0x00000000003B7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1552-62-0x0000000000380000-0x00000000003B7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1552-58-0x0000000000380000-0x00000000003B7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1552-57-0x0000000000220000-0x0000000000276000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1552-56-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1552-55-0x0000000000220000-0x0000000000276000-memory.dmp

    Filesize

    344KB

    Download