Overview

overview

8

Static

static

79af0854a7...a9.exe

windows7-x64

8

79af0854a7...a9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    179s
  • max time network
    205s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    79af0854a72fdd0d1dfe41e6790637347c995f671fa49342c026d81ce483d6a9.exe

  • Size

    958KB

  • MD5

    ed7272f7f45de161f0c7f49f80aebf11

  • SHA1

    fb4507805f927cea5511474f8dde93d1e9a0dcd4

  • SHA256

    79af0854a72fdd0d1dfe41e6790637347c995f671fa49342c026d81ce483d6a9

  • SHA512

    f0b4ebdb1d55a4946dcd2594bb8647615ac4bab417bdc3950d4d925d0bcd25f642f6fe4d5c4bf85b487a98a68f46d0c779da97952585cfa667f85da5d8262866

  • SSDEEP

    24576:qc//////5T0CHKaKy5hAETLg9HY3tfE93cazXKZjUM:qc//////5IQK8KETL4HGs93tKG

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Kills process with taskkill 15 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\79af0854a72fdd0d1dfe41e6790637347c995f671fa49342c026d81ce483d6a9.exe
    "C:\Users\Admin\AppData\Local\Temp\79af0854a72fdd0d1dfe41e6790637347c995f671fa49342c026d81ce483d6a9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Users\Admin\AppData\Local\Temp\79af0854a72fdd0d1dfe41e6790637347c995f671fa49342c026d81ce483d6a9.exe
      C:\Users\Admin\AppData\Local\Temp\79af0854a72fdd0d1dfe41e6790637347c995f671fa49342c026d81ce483d6a9.exe
      2⤵
      • Drops file in Drivers directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3164
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im DNF.exe.manifest
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3368
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im TenSafe.exe_1
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4212
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im TenSafe.exe_2
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:940
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im TenSafe.exe_1.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4988
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im TenSafe.exe_2.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4092
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im QQDL.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3184
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im TXPlatform.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5012
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Tencentdl.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2492
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im TenSafe.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4276
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im QQLOING.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2272
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im DNFchina.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3640
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Tencentdl.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:620
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im DNF.exe.manifest
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3112
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im DNF.exe.manifest
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2464
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im DNF.exe.manifest
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3164-153-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3164-137-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3164-136-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3164-135-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3164-133-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

    Download