Overview

overview

7

Static

static

1

maxoysj4762.exe

windows7-x64

7

maxoysj4762.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2023, 11:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    maxoysj4762.exe

  • Size

    585KB

  • MD5

    d6bf1f473ce21610f125492e27d1a4e4

  • SHA1

    c51444cd94cbfb2f955f555feac4512ed7ef33d1

  • SHA256

    898d893d7c46d0c70d498f0323b24175c4d49df99b88f57d30aef08cb3e3edca

  • SHA512

    80bd6043c1db88b2c00225edfef7bc66f573421816c7b52f1a6478b09060dfd2b95994be549d11269f74b332c4cef8b79f9b430fb0da6ac21226b50ec1cc4b74

  • SSDEEP

    12288:aHWHvZzn5JuHNKu0H4AMSpr7kIdhq8SKaGl7Cwu7k9QJ:a2Phn5otW4yZgmqjMZ6490

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\maxoysj4762.exe
    "C:\Users\Admin\AppData\Local\Temp\maxoysj4762.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Users\Admin\AppData\Local\Temp\maxoysj4762.exe
      "C:\Users\Admin\AppData\Local\Temp\maxoysj4762.exe"
      2⤵
        PID:4644
      • C:\Users\Admin\AppData\Local\Temp\maxoysj4762.exe
        "C:\Users\Admin\AppData\Local\Temp\maxoysj4762.exe"
        2⤵
          PID:4836
        • C:\Users\Admin\AppData\Local\Temp\maxoysj4762.exe
          "C:\Users\Admin\AppData\Local\Temp\maxoysj4762.exe"
          2⤵
          • Checks computer location settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2824

      Network

      • flag-us
        DNS
        58.55.71.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        58.55.71.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        133.211.185.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        133.211.185.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        64.13.109.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        64.13.109.52.in-addr.arpa
        IN PTR
        Response
      • 52.152.110.14:443
        260 B
         5
      • 51.11.192.49:443
        322 B
         7
      • 8.238.21.126:80
        322 B
         7
      • 52.152.110.14:443
        260 B
         5
      • 8.238.22.254:80
        322 B
         7
      • 173.223.113.164:443
        322 B
         7
      • 173.223.113.131:80
        322 B
         7
      • 131.253.33.203:80
        322 B
         7
      • 93.184.220.29:80
        322 B
         7
      • 52.152.110.14:443
        260 B
         5
      • 52.152.110.14:443
        260 B
         5
      • 52.152.110.14:443
        260 B
         5
      • 52.152.110.14:443
        260 B
         5
      • 8.8.8.8:53
        58.55.71.13.in-addr.arpa
        dns
        70 B
         144 B
         1
        1

        DNS Request

        58.55.71.13.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        133.211.185.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        133.211.185.52.in-addr.arpa

      • 8.8.8.8:53
        64.13.109.52.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        64.13.109.52.in-addr.arpa

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2824-140-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/2824-142-0x0000000001970000-0x0000000001CBA000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2824-143-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/4192-133-0x0000000000090000-0x0000000000128000-memory.dmp

        Filesize

        608KB

        Download

      • memory/4192-134-0x0000000004ED0000-0x0000000005474000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4192-135-0x00000000049C0000-0x0000000004A52000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4192-136-0x0000000004C30000-0x0000000004C40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4192-137-0x0000000004980000-0x000000000498A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4192-138-0x0000000004C30000-0x0000000004C40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4192-139-0x0000000006740000-0x00000000067DC000-memory.dmp

        Filesize

        624KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.