Overview

overview

8

Static

static

3

Build6.exe

windows7-x64

8

Build6.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2023, 11:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Build6.exe

  • Size

    701KB

  • MD5

    b6fc37fce8c66b811adcb11e2a588913

  • SHA1

    f623733af2c004fb9489ee0723574fa01d1d2097

  • SHA256

    50c741e252a93f02d0d96bf0f5faa200c425a7cced7de84d6b56144bb9eca8ad

  • SHA512

    7b2e72eb5f8cd84033e5ce19707b5a11005b27750ca9b7041b564bf125e85dc6852e8d4d3af7e3e8104030af2a565d423afaa7840cccb8e3a0a0667e0dfad59b

  • SSDEEP

    6144:57A/MmJMsENIsRctX5rUvQSNj0LZOWM8yucn:5U/MmrrU1Nj0LZOd8yus

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Build6.exe
    "C:\Users\Admin\AppData\Local\Temp\Build6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\Windows\system32\ctfmon.exe
        ctfmon.exe
        3⤵
          PID:1208
      • C:\Users\Admin\AppData\Local\Temp\Build6.exe
        "C:\Users\Admin\AppData\Local\Temp\Build6.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1112
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"' & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1456
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"'
            4⤵
            • Creates scheduled task(s)
            PID:684
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6817.tmp.bat""
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:844
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:1700
          • C:\Users\Admin\AppData\Roaming\Svchost.exe
            "C:\Users\Admin\AppData\Roaming\Svchost.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2040
            • C:\Windows\explorer.exe
              "C:\Windows\explorer.exe"
              5⤵
                PID:1600
              • C:\Users\Admin\AppData\Roaming\Svchost.exe
                "C:\Users\Admin\AppData\Roaming\Svchost.exe"
                5⤵
                • Executes dropped EXE
                PID:932
              • C:\Users\Admin\AppData\Roaming\Svchost.exe
                "C:\Users\Admin\AppData\Roaming\Svchost.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1416
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x56c
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:272

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp6817.tmp.bat
        Filesize

        151B

        MD5

        2fa89354a8cbbb1ec99ba3628babea59

        SHA1

        700b16e52f9cc857621fff9af40aba85b54f29d2

        SHA256

        64f9d5f9ae009d0b32ecdfd09a794157adcc0316ee56703306236cd90452acdb

        SHA512

        fa1f02475b09f961d54417259a2688ff704f5c6e2bea4601ffc51c9fd49ac82b00c7bdc1c33bcac2440b44ffbff09711b850722d9e165fb01a03ccd29853f526

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp6817.tmp.bat
        Filesize

        151B

        MD5

        2fa89354a8cbbb1ec99ba3628babea59

        SHA1

        700b16e52f9cc857621fff9af40aba85b54f29d2

        SHA256

        64f9d5f9ae009d0b32ecdfd09a794157adcc0316ee56703306236cd90452acdb

        SHA512

        fa1f02475b09f961d54417259a2688ff704f5c6e2bea4601ffc51c9fd49ac82b00c7bdc1c33bcac2440b44ffbff09711b850722d9e165fb01a03ccd29853f526

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Svchost.exe
        Filesize

        701KB

        MD5

        b6fc37fce8c66b811adcb11e2a588913

        SHA1

        f623733af2c004fb9489ee0723574fa01d1d2097

        SHA256

        50c741e252a93f02d0d96bf0f5faa200c425a7cced7de84d6b56144bb9eca8ad

        SHA512

        7b2e72eb5f8cd84033e5ce19707b5a11005b27750ca9b7041b564bf125e85dc6852e8d4d3af7e3e8104030af2a565d423afaa7840cccb8e3a0a0667e0dfad59b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Svchost.exe
        Filesize

        701KB

        MD5

        b6fc37fce8c66b811adcb11e2a588913

        SHA1

        f623733af2c004fb9489ee0723574fa01d1d2097

        SHA256

        50c741e252a93f02d0d96bf0f5faa200c425a7cced7de84d6b56144bb9eca8ad

        SHA512

        7b2e72eb5f8cd84033e5ce19707b5a11005b27750ca9b7041b564bf125e85dc6852e8d4d3af7e3e8104030af2a565d423afaa7840cccb8e3a0a0667e0dfad59b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Svchost.exe
        Filesize

        701KB

        MD5

        b6fc37fce8c66b811adcb11e2a588913

        SHA1

        f623733af2c004fb9489ee0723574fa01d1d2097

        SHA256

        50c741e252a93f02d0d96bf0f5faa200c425a7cced7de84d6b56144bb9eca8ad

        SHA512

        7b2e72eb5f8cd84033e5ce19707b5a11005b27750ca9b7041b564bf125e85dc6852e8d4d3af7e3e8104030af2a565d423afaa7840cccb8e3a0a0667e0dfad59b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Svchost.exe
        Filesize

        701KB

        MD5

        b6fc37fce8c66b811adcb11e2a588913

        SHA1

        f623733af2c004fb9489ee0723574fa01d1d2097

        SHA256

        50c741e252a93f02d0d96bf0f5faa200c425a7cced7de84d6b56144bb9eca8ad

        SHA512

        7b2e72eb5f8cd84033e5ce19707b5a11005b27750ca9b7041b564bf125e85dc6852e8d4d3af7e3e8104030af2a565d423afaa7840cccb8e3a0a0667e0dfad59b

        Download Submit

      • \Users\Admin\AppData\Roaming\Svchost.exe
        Filesize

        701KB

        MD5

        b6fc37fce8c66b811adcb11e2a588913

        SHA1

        f623733af2c004fb9489ee0723574fa01d1d2097

        SHA256

        50c741e252a93f02d0d96bf0f5faa200c425a7cced7de84d6b56144bb9eca8ad

        SHA512

        7b2e72eb5f8cd84033e5ce19707b5a11005b27750ca9b7041b564bf125e85dc6852e8d4d3af7e3e8104030af2a565d423afaa7840cccb8e3a0a0667e0dfad59b

        Download Submit

      • memory/876-83-0x0000000004110000-0x0000000004120000-memory.dmp

        Filesize

        64KB

        Download

      • memory/876-67-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/876-96-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1112-59-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1112-62-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1112-57-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1112-61-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1112-60-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1112-64-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1112-66-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1112-58-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1112-68-0x0000000000D50000-0x0000000000D90000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1368-55-0x0000000004840000-0x0000000004880000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1368-54-0x0000000000DA0000-0x0000000000E56000-memory.dmp

        Filesize

        728KB

        Download

      • memory/1416-89-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1416-95-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1416-93-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2040-81-0x0000000000D00000-0x0000000000DB6000-memory.dmp

        Filesize

        728KB

        Download