Overview

overview

7

Static

static

1

winprofile

windows7-x64

7

winprofile

windows10-1703-x64

7

Analysis

  • max time kernel
    90s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    15-03-2023 05:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e70412953b78c03412dbd33aa71e426534e0a715f07104c4298c82260a44a38.exe

  • Size

    4.7MB

  • MD5

    9cd96e016464e8489693721f9fbcb114

  • SHA1

    5fbfcfe080a2e69be0d4b7281bdf5a9f099b65b4

  • SHA256

    7e70412953b78c03412dbd33aa71e426534e0a715f07104c4298c82260a44a38

  • SHA512

    d0f170b182614f53acfed1128d782444ed288e5fdf84d4860c0ff6c57002d6129df04e07e0c4774b4f373226fa37ccf14fc3f56e346db283b5e8d7c4452655a1

  • SSDEEP

    98304:SrNDnifgPgjhcObmRCevTu6QDiU98WJONhZ9gsb0jJu/2vJYL4ooq:SFBMuOCTpDLaqiRYLT

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e70412953b78c03412dbd33aa71e426534e0a715f07104c4298c82260a44a38.exe
    "C:\Users\Admin\AppData\Local\Temp\7e70412953b78c03412dbd33aa71e426534e0a715f07104c4298c82260a44a38.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
        PID:1920
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        2⤵
          PID:1216
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
          2⤵
            PID:1912
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:528
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              3⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:972
              • C:\Windows\SysWOW64\icacls.exe
                "C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsDesktop-type7.9.9.3" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
                4⤵
                • Modifies file permissions
                PID:776
              • C:\Windows\SysWOW64\icacls.exe
                "C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsDesktop-type7.9.9.3" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
                4⤵
                • Modifies file permissions
                PID:840
              • C:\Windows\SysWOW64\icacls.exe
                "C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsDesktop-type7.9.9.3" /inheritance:e /deny "admin:(R,REA,RA,RD)"
                4⤵
                • Modifies file permissions
                PID:2032
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /CREATE /TN "DocumentsDesktop-type7.9.9.3\DocumentsDesktop-type7.9.9.3" /TR "C:\ProgramData\DocumentsDesktop-type7.9.9.3\DocumentsDesktop-type7.9.9.3.exe" /SC MINUTE
                4⤵
                • Creates scheduled task(s)
                PID:1184
              • C:\ProgramData\DocumentsDesktop-type7.9.9.3\DocumentsDesktop-type7.9.9.3.exe
                "C:\ProgramData\DocumentsDesktop-type7.9.9.3\DocumentsDesktop-type7.9.9.3.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                4⤵
                • Executes dropped EXE
                PID:984
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {77B5359B-B5B6-43DC-A8C4-3B7F4FD18268} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]
          1⤵
          • Loads dropped DLL
          PID:968
          • C:\ProgramData\DocumentsDesktop-type7.9.9.3\DocumentsDesktop-type7.9.9.3.exe
            C:\ProgramData\DocumentsDesktop-type7.9.9.3\DocumentsDesktop-type7.9.9.3.exe
            2⤵
            • Executes dropped EXE
            PID:1536

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\DocumentsDesktop-type7.9.9.3\DocumentsDesktop-type7.9.9.3.exe
          Filesize

          585.6MB

          MD5

          7aae96df80f3b9811dd1f27fe4a1c188

          SHA1

          d790960331558af1276cb0474caf359ac99f0a3d

          SHA256

          1d659187dd40a6670548b82ec65b9ef94f158256503fa23615edda5d3cb6c83d

          SHA512

          350a07d62e096028b0967656e900dbe35ff1e88d9669d127b81e4d3a378e29ed11fc0182883594fc8af5c614ccca9536632de86f8b0cd25cffbeec1b8391a2e1

          Download Submit

        • C:\ProgramData\DocumentsDesktop-type7.9.9.3\DocumentsDesktop-type7.9.9.3.exe
          Filesize

          576.1MB

          MD5

          8cbf65688c73a773c9ad0af3cdbd84f6

          SHA1

          8cbd008b6708059cc279a9cabcbdf289d974606b

          SHA256

          df5546a2e51d36fe4efde590e8dc44c7e96eccd4fea8100b62127aabd0372f2a

          SHA512

          e6a0ffdb02ed1e5ec85be3b9ed99354baf7f13a139fdf9381f671d22ad28422460b918f941d6aa7145a1eeb436ecc5fcc83280d7b6a57b6a6cd7836932d8425c

          Download Submit

        • C:\ProgramData\DocumentsDesktop-type7.9.9.3\DocumentsDesktop-type7.9.9.3.exe
          Filesize

          610.6MB

          MD5

          5e986c8daab9fb980f7b1d9c24445c62

          SHA1

          c234240960e4cc32a50cae92ff23f2eca14e395c

          SHA256

          29a2412a801cd90f6abb6a98c83bbc9dad258c5d1b8d416aa9b94e7d1dc69630

          SHA512

          a563e260ec73804475369a18aaf3f68027a358de5669e2bc145eb1b056bf8f3bfbe37adce8cb4d7f5d27fc58f63c5e01bbe153a15dfbadaa7bd6a99995b51dd2

          Download Submit

        • C:\ProgramData\DocumentsDesktop-type7.9.9.3\DocumentsDesktop-type7.9.9.3.exe
          Filesize

          443.9MB

          MD5

          ff36226eb1fd92a6767185c00795c6c2

          SHA1

          f60697be1350bde17c8fe73bdc79e63c6eab72fd

          SHA256

          3f890562812e9d8675f83f2d662007ad411245533e15484ae5a85a0e83e9c47a

          SHA512

          63f6804bdf2d96a9d7ae8fa566c7b7d642048617390c16dca4d94bbbce49ef9f7cd9cb966d1a569bdf32626b168a13434957960f41b834b9dc8fafbf7681d4ef

          Download Submit

        • \ProgramData\DocumentsDesktop-type7.9.9.3\DocumentsDesktop-type7.9.9.3.exe
          Filesize

          636.1MB

          MD5

          25dd6808ae3b0a58e51e633b409e76fd

          SHA1

          6bc483db188cef2ae640ca0af78d5ce114d3a4d0

          SHA256

          3e8b0cb3238368e0637d705d75951d0ab673e09e66230b678cfe9fba070a17bc

          SHA512

          5f81b034f2450828f852ea2502fdbf5651ad6a09b7cadcc08768c253424c3a6e390aa580f7e7711d8b387bb5b9e94374d45946898728b9ed414fd49000cbf85a

          Download Submit

        • \ProgramData\DocumentsDesktop-type7.9.9.3\DocumentsDesktop-type7.9.9.3.exe
          Filesize

          537.4MB

          MD5

          1ce5f68ae7a8cc9d960d1cf92f386c78

          SHA1

          8a9eb74627d446a5d6c2111334379d75c8620de0

          SHA256

          4b38ad3fa9999aad80155c66eb5648a151261e250ebde90b3366531b383ad7da

          SHA512

          fabff44616c3b80ef7d99e88c105e999b731c19f35d77cd28f45a82d33266f821095adc6736b9daf493c379fdbc238202ab766fb44712940796889683ed012de

          Download Submit

        • \ProgramData\DocumentsDesktop-type7.9.9.3\DocumentsDesktop-type7.9.9.3.exe
          Filesize

          444.6MB

          MD5

          a2bbccf3e1114261fe8bebe0589c056b

          SHA1

          2787883308f7af42b8ea9325da45bf9caada7c99

          SHA256

          16f7beaf7279d1cf31ea3e9023e6b801e5f4fb4d0b279b9e95d15c2b6d1fccea

          SHA512

          557c4fe034708c4f3439f5c78cb51072fee0d5aedb82d7195e40bed2aecd282d80b2162468ca6d519c9335570d41e50a38ed86915d6ea998464c516e25f14750

          Download Submit

        • \ProgramData\DocumentsDesktop-type7.9.9.3\DocumentsDesktop-type7.9.9.3.exe
          Filesize

          460.1MB

          MD5

          4b2b05fe728e0e80ba9a490901ec5726

          SHA1

          8d68720b08c6f27ebb08fa94a90995f5f5811e96

          SHA256

          fc32adac8124f576eb5f6452642f1a5534ad2da83b33b6501be1f6a781b303c1

          SHA512

          b6e54fea51998081a11565d64e20a519eac7b55059a7bc2fcac979a9eaf5917df2e71c422fb86a88395692d1aac1569a9ec14dc6d7e8c2db80daad293d9a4039

          Download Submit

        • memory/528-55-0x0000000000400000-0x00000000008A3000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/528-64-0x0000000000400000-0x00000000008A3000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/528-63-0x0000000000400000-0x00000000008A3000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/528-61-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/528-56-0x0000000000400000-0x00000000008A3000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/972-66-0x0000000000400000-0x000000000088C000-memory.dmp

          Filesize

          4.5MB

          Download

        • memory/972-77-0x0000000005030000-0x0000000005070000-memory.dmp

          Filesize

          256KB

          Download

        • memory/972-76-0x0000000005030000-0x0000000005070000-memory.dmp

          Filesize

          256KB

          Download

        • memory/972-75-0x0000000005030000-0x0000000005070000-memory.dmp

          Filesize

          256KB

          Download

        • memory/972-74-0x0000000000400000-0x000000000088C000-memory.dmp

          Filesize

          4.5MB

          Download

        • memory/972-73-0x0000000000400000-0x000000000088C000-memory.dmp

          Filesize

          4.5MB

          Download

        • memory/972-67-0x0000000000400000-0x000000000088C000-memory.dmp

          Filesize

          4.5MB

          Download