Overview

overview

6

Static

static

cd946f8631...04.exe

windows7-x64

6

cd946f8631...04.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    167s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd946f863145acbd83117ccb6ca83d5fe37207e3fa1d0751211ae5c6c0a21c04.exe

  • Size

    149KB

  • MD5

    2aca3f75294e962c8f5efab3326e9117

  • SHA1

    81c045eb5f76697e786647b765d365d0262ab218

  • SHA256

    cd946f863145acbd83117ccb6ca83d5fe37207e3fa1d0751211ae5c6c0a21c04

  • SHA512

    f637604a0a76ac10a05770a79274d8e88f4c33c89beb7af83a3919471d4739020c235531f6b3c8c8039b543f71a51782d27cfcd6420f1a812c838a59ec85004e

  • SSDEEP

    1536:RXcxTLIUH22hNPzEY0nbe6i4YrJENmjIDCJDGYygwtHZRzoeJPIHYZ0gr4OOUkN0:RRUB9zEY0beD4YbUGQYqXz/PIHjMRSu

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd946f863145acbd83117ccb6ca83d5fe37207e3fa1d0751211ae5c6c0a21c04.exe
    "C:\Users\Admin\AppData\Local\Temp\cd946f863145acbd83117ccb6ca83d5fe37207e3fa1d0751211ae5c6c0a21c04.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3400
    • C:\Users\Admin\AppData\Local\Temp\cd946f863145acbd83117ccb6ca83d5fe37207e3fa1d0751211ae5c6c0a21c04.exe
      "C:\Users\Admin\AppData\Local\Temp\cd946f863145acbd83117ccb6ca83d5fe37207e3fa1d0751211ae5c6c0a21c04.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3488
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Windows\SysWOW64\mspaint.exe
          "C:\Windows\system32\mspaint.exe"
          4⤵
          • Adds Run key to start application
          • Enumerates connected drives
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4940
      • C:\Users\Admin\AppData\Local\Temp\cd946f863145acbd83117ccb6ca83d5fe37207e3fa1d0751211ae5c6c0a21c04.exe
        "C:\Users\Admin\AppData\Local\Temp\cd946f863145acbd83117ccb6ca83d5fe37207e3fa1d0751211ae5c6c0a21c04.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4952
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1392
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4552
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4552 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3884
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
    1⤵
      PID:4920

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      228d25dd7d377af29848012a2b059814

      SHA1

      a29a3c1e167f3581b0aa4be90b1769a89beab01c

      SHA256

      9d4e26398806093c8af5a60e646afb3c2fc110ea0dc93821e29dc48da62280bb

      SHA512

      1d004bb21f7225fe220aae71d7836c0f5b2e58cb855209e2cc7f1a903ae73b67c408f59108b31faf7caed420758f4753b476c927299da5d607304b5d3a45bc61

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      434B

      MD5

      62817e8aee918bfb307e9374960c0e22

      SHA1

      a17cd5fde65a4dd8dd8c854b1e39fb00afba1b6e

      SHA256

      b0ce587f7b3229ee1acded737b29fa71e198e5333f3649f8d356ed9c16be9099

      SHA512

      25ef2923a16b8319f2310cfbdcac7fe357472f2d317f7df0355123e2382e0e16665b588d512b44c1940a82bc9b1b32787cbfcded6dc331f5e0ba0a268d80e4d2

      Download Submit

    • memory/1984-146-0x0000000002EF0000-0x0000000002F3E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/1984-136-0x0000000000000000-mapping.dmp

      Download

    • memory/1984-142-0x0000000000C60000-0x0000000000C81000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3488-132-0x0000000000000000-mapping.dmp

      Download

    • memory/3488-133-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3488-135-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3488-144-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4940-141-0x0000000000000000-mapping.dmp

      Download

    • memory/4940-147-0x0000000003890000-0x00000000038DE000-memory.dmp

      Filesize

      312KB

      Download

    • memory/4952-140-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/4952-145-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/4952-143-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/4952-138-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/4952-137-0x0000000000000000-mapping.dmp

      Download