Overview

overview

10

Static

static

bd9079d295...8e.exe

windows7-x64

10

bd9079d295...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 21:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd9079d295c7a906d1b0bbe5a2f975cf23512a768b8aa5b06de4f30c3da2998e.exe

  • Size

    385KB

  • MD5

    5977a8be127803556325945452a6dcfb

  • SHA1

    d1d72726b922cc0f0a88981f7cc3e6c776c582f8

  • SHA256

    bd9079d295c7a906d1b0bbe5a2f975cf23512a768b8aa5b06de4f30c3da2998e

  • SHA512

    dcd71602a2742c45bd5837f4b77ea6a5f3ad27d96adb545c6b2065983da2e013a4957d8063a63ae8596e7f9ea22f24feeb5528706ea00b1067557873c8ac3539

  • SSDEEP

    6144:MRAhhJxX7bNIAROzTb2uuXp+7qxQ3rfvQ2ZblmR4lQOqBpFbmbqsykpAMoVU:UsAAM2dZYVvQ6lmCl/qBTmfz

Score
10/10
persistence

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd9079d295c7a906d1b0bbe5a2f975cf23512a768b8aa5b06de4f30c3da2998e.exe
    "C:\Users\Admin\AppData\Local\Temp\bd9079d295c7a906d1b0bbe5a2f975cf23512a768b8aa5b06de4f30c3da2998e.exe"
    1⤵
    • Modifies system executable filetype association
    • Modifies Installed Components in the registry
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Modifies system executable filetype association
      • Executes dropped EXE
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Modifies registry class
      PID:976

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\svchost.exe
    Filesize

    385KB

    MD5

    08eb1f4dea87980784865de2b0962cad

    SHA1

    49219eb41b60cf767dc1184fd7ca90c2d052382e

    SHA256

    b1ebd1700030c5a59187e205adca5d1ef61dcc5fad411d45cdb9f5200678876e

    SHA512

    8e37d61995e9b9efbb993af3fb1e12761ffa10507e6a05be1e5d52f0762c54d290d3fb0a806d1ea0613b28f8502c97f87961c32682518abd6f6e5b8e50e34229

    Download Submit

  • memory/976-58-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/976-59-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1104-54-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1104-57-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download