Overview

overview

8

Static

static

79af0854a7...a9.exe

windows7-x64

8

79af0854a7...a9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    102s
  • max time network
    107s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2022 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    79af0854a72fdd0d1dfe41e6790637347c995f671fa49342c026d81ce483d6a9.exe

  • Size

    958KB

  • MD5

    ed7272f7f45de161f0c7f49f80aebf11

  • SHA1

    fb4507805f927cea5511474f8dde93d1e9a0dcd4

  • SHA256

    79af0854a72fdd0d1dfe41e6790637347c995f671fa49342c026d81ce483d6a9

  • SHA512

    f0b4ebdb1d55a4946dcd2594bb8647615ac4bab417bdc3950d4d925d0bcd25f642f6fe4d5c4bf85b487a98a68f46d0c779da97952585cfa667f85da5d8262866

  • SSDEEP

    24576:qc//////5T0CHKaKy5hAETLg9HY3tfE93cazXKZjUM:qc//////5IQK8KETL4HGs93tKG

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Kills process with taskkill 15 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\79af0854a72fdd0d1dfe41e6790637347c995f671fa49342c026d81ce483d6a9.exe
    "C:\Users\Admin\AppData\Local\Temp\79af0854a72fdd0d1dfe41e6790637347c995f671fa49342c026d81ce483d6a9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Users\Admin\AppData\Local\Temp\79af0854a72fdd0d1dfe41e6790637347c995f671fa49342c026d81ce483d6a9.exe
      C:\Users\Admin\AppData\Local\Temp\79af0854a72fdd0d1dfe41e6790637347c995f671fa49342c026d81ce483d6a9.exe
      2⤵
      • Drops file in Drivers directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im DNF.exe.manifest
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:628
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im TenSafe.exe_1
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:844
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im TenSafe.exe_2
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1508
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im TenSafe.exe_1.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:752
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im TenSafe.exe_2.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1048
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im QQDL.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:696
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Tencentdl.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:292
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im TenSafe.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1812
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im TXPlatform.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:608
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im QQLOING.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:988
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im DNF.exe.manifest
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:316
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im DNF.exe.manifest
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:956
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Tencentdl.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1748
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im DNFchina.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1068
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im DNF.exe.manifest
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2480

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/952-61-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/952-56-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/952-54-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/952-60-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/952-59-0x00000000764C1000-0x00000000764C3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/952-79-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/952-76-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

    Download