Overview

overview

10

Static

static

3bf0a484b0...0a.exe

windows7-x64

10

3bf0a484b0...0a.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    153s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 07:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3bf0a484b0d42af707c586ef6138bd79dec48d198ff3b76237b5586cfd64e70a.exe

  • Size

    157KB

  • MD5

    8508ce39832ac5ec0bb510b35465629e

  • SHA1

    74a386a774e37a444223486d826ba62db9fd71f1

  • SHA256

    3bf0a484b0d42af707c586ef6138bd79dec48d198ff3b76237b5586cfd64e70a

  • SHA512

    d8c61be79ad5788274c27ce7b649db5b15b8d8cec1f0624d2eaf4dddd389738280f25808d91fe0c41cbb4544087f632e48db8f187eba285e18105304a0df1414

  • SSDEEP

    3072:MkOYL0Db5OJcaZ3KNQyxCDSe6i3tvk6T/+Qcdym+INp1rkj:MCL0Db5pa0QXDSejj+tCINp1Aj

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 16 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3bf0a484b0d42af707c586ef6138bd79dec48d198ff3b76237b5586cfd64e70a.exe
    "C:\Users\Admin\AppData\Local\Temp\3bf0a484b0d42af707c586ef6138bd79dec48d198ff3b76237b5586cfd64e70a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Users\Admin\AppData\Local\Temp\3bf0a484b0d42af707c586ef6138bd79dec48d198ff3b76237b5586cfd64e70a.exe
      "C:\Users\Admin\AppData\Local\Temp\3bf0a484b0d42af707c586ef6138bd79dec48d198ff3b76237b5586cfd64e70a.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1196
      • C:\WINDÎWS\åõðlîrår.exe
        C:\WINDÎWS\åõðlîrår.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\WINDÎWS\åõðlîrår.exe
          C:\WINDÎWS\åõðlîrår.exe
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1540
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM explorer.exe
            5⤵
            • Kills process with taskkill
            PID:520
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1148
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x548
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:524
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1616
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1472
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Suspicious use of AdjustPrivilegeToken
    PID:1556

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDÎWS\åõðlîrår.exe
    Filesize

    157KB

    MD5

    8508ce39832ac5ec0bb510b35465629e

    SHA1

    74a386a774e37a444223486d826ba62db9fd71f1

    SHA256

    3bf0a484b0d42af707c586ef6138bd79dec48d198ff3b76237b5586cfd64e70a

    SHA512

    d8c61be79ad5788274c27ce7b649db5b15b8d8cec1f0624d2eaf4dddd389738280f25808d91fe0c41cbb4544087f632e48db8f187eba285e18105304a0df1414

    Download Submit

  • C:\WINDÎWS\åõðlîrår.exe
    Filesize

    157KB

    MD5

    8508ce39832ac5ec0bb510b35465629e

    SHA1

    74a386a774e37a444223486d826ba62db9fd71f1

    SHA256

    3bf0a484b0d42af707c586ef6138bd79dec48d198ff3b76237b5586cfd64e70a

    SHA512

    d8c61be79ad5788274c27ce7b649db5b15b8d8cec1f0624d2eaf4dddd389738280f25808d91fe0c41cbb4544087f632e48db8f187eba285e18105304a0df1414

    Download Submit

  • C:\WINDÎWS\åõðlîrår.exe
    Filesize

    157KB

    MD5

    8508ce39832ac5ec0bb510b35465629e

    SHA1

    74a386a774e37a444223486d826ba62db9fd71f1

    SHA256

    3bf0a484b0d42af707c586ef6138bd79dec48d198ff3b76237b5586cfd64e70a

    SHA512

    d8c61be79ad5788274c27ce7b649db5b15b8d8cec1f0624d2eaf4dddd389738280f25808d91fe0c41cbb4544087f632e48db8f187eba285e18105304a0df1414

    Download Submit

  • \WINDÎWS\åõðlîrår.exe
    Filesize

    157KB

    MD5

    8508ce39832ac5ec0bb510b35465629e

    SHA1

    74a386a774e37a444223486d826ba62db9fd71f1

    SHA256

    3bf0a484b0d42af707c586ef6138bd79dec48d198ff3b76237b5586cfd64e70a

    SHA512

    d8c61be79ad5788274c27ce7b649db5b15b8d8cec1f0624d2eaf4dddd389738280f25808d91fe0c41cbb4544087f632e48db8f187eba285e18105304a0df1414

    Download Submit

  • \WINDÎWS\åõðlîrår.exe
    Filesize

    157KB

    MD5

    8508ce39832ac5ec0bb510b35465629e

    SHA1

    74a386a774e37a444223486d826ba62db9fd71f1

    SHA256

    3bf0a484b0d42af707c586ef6138bd79dec48d198ff3b76237b5586cfd64e70a

    SHA512

    d8c61be79ad5788274c27ce7b649db5b15b8d8cec1f0624d2eaf4dddd389738280f25808d91fe0c41cbb4544087f632e48db8f187eba285e18105304a0df1414

    Download Submit

  • memory/1148-69-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1196-71-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1196-60-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1196-68-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1196-54-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1196-65-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1196-63-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1196-61-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1196-55-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1196-67-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1196-79-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1196-58-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1196-57-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1540-97-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1540-99-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download