Overview

overview

8

Static

static

993b896cd6...f9.exe

windows7-x64

8

993b896cd6...f9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 11:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    993b896cd61b594ad9468ddc53a00b8b8ac855e7a0e49d65d1c100543c9525f9.exe

  • Size

    210KB

  • MD5

    291a5411f970d817751a844d47b262d5

  • SHA1

    7b11ae1b30785cdbd0912ae1e929d8649faf76d9

  • SHA256

    993b896cd61b594ad9468ddc53a00b8b8ac855e7a0e49d65d1c100543c9525f9

  • SHA512

    e231d1e528617354e7002fde5d1f6901b0b50ed19627c8c2ba5dc957638d04562a295a95a14b849b074a91101da6ada84e74739784d66343f8039d3d96f09458

  • SSDEEP

    6144:9NS5VmS/+PRHgzKmHMyTTaPrPXa3rkO2E1eJ+p:9IaxgzKmRUs+Oe0

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\993b896cd61b594ad9468ddc53a00b8b8ac855e7a0e49d65d1c100543c9525f9.exe
    "C:\Users\Admin\AppData\Local\Temp\993b896cd61b594ad9468ddc53a00b8b8ac855e7a0e49d65d1c100543c9525f9.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:384

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\apppatch\svchost.exe
    Filesize

    210KB

    MD5

    731844d4f2735c0298e86758477526f9

    SHA1

    2d93dd4187fbcaf5e6a4fbbd71e973b75816d410

    SHA256

    d22e942333e77d2cfcbdeeb3fc4b7b0d1be2f9a388cdaf2e8edeea044751dd1d

    SHA512

    4cbb1d82fe1d19cb6fb5101a7bb7606a9e24e1623aec0dabde4b3df8e485768aa1df9659b5bac08008e68f18331235e97439a4b00e6403c7d6232cafb5fbb15d

    Download Submit

  • C:\Windows\apppatch\svchost.exe
    Filesize

    210KB

    MD5

    731844d4f2735c0298e86758477526f9

    SHA1

    2d93dd4187fbcaf5e6a4fbbd71e973b75816d410

    SHA256

    d22e942333e77d2cfcbdeeb3fc4b7b0d1be2f9a388cdaf2e8edeea044751dd1d

    SHA512

    4cbb1d82fe1d19cb6fb5101a7bb7606a9e24e1623aec0dabde4b3df8e485768aa1df9659b5bac08008e68f18331235e97439a4b00e6403c7d6232cafb5fbb15d

    Download Submit

  • memory/384-135-0x0000000000000000-mapping.dmp

    Download

  • memory/384-138-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/384-141-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/384-142-0x00000000029C0000-0x0000000002A6A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/384-143-0x0000000002BB0000-0x0000000002C67000-memory.dmp

    Filesize

    732KB

    Download

  • memory/1612-132-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/1612-133-0x0000000002250000-0x00000000022A2000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1612-134-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/1612-139-0x0000000002250000-0x00000000022A2000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1612-140-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB

    Download