Overview

overview

10

Static

static

1

a4c7865d9b...5e.exe

windows7-x64

8

a4c7865d9b...5e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2023, 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4c7865d9ba1a155c43e27d57a3d9c5729d52d4b5b49620567cdd9a1c7ac7a5e.exe

  • Size

    479KB

  • MD5

    82433d5315e53ad0a675dec37b7ba466

  • SHA1

    fc86670f0bffc539490f791ca011409a7bfb2b14

  • SHA256

    a4c7865d9ba1a155c43e27d57a3d9c5729d52d4b5b49620567cdd9a1c7ac7a5e

  • SHA512

    ee178177c1b8f62155ed619df27cc94ccc34d650b95598efaf7359379e8c678494ea45ec30704be0d3b6facb465a0401da93e1f6f8e6834b32bacb5a4ac76640

  • SSDEEP

    6144:yk7uSDR0GhP0lm6i33cDvXwFpjmK/vCo13Zv1ww+AIJYhfb9nIaGq9aEDX:yk7uYGOai33RNDSoFZ/HbhfbyyUGX

Score
8/10
persistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4c7865d9ba1a155c43e27d57a3d9c5729d52d4b5b49620567cdd9a1c7ac7a5e.exe
    "C:\Users\Admin\AppData\Local\Temp\a4c7865d9ba1a155c43e27d57a3d9c5729d52d4b5b49620567cdd9a1c7ac7a5e.exe"
    1⤵
    • Sets service image path in registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"
      2⤵
        PID:676
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
        2⤵
          PID:572
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
          2⤵
            PID:1296
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
            2⤵
              PID:1080
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1584
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 304
                3⤵
                • Program crash
                PID:940

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1244-54-0x00000000002F0000-0x000000000036C000-memory.dmp

            Filesize

            496KB

            Download

          • memory/1244-55-0x000000001A5D0000-0x000000001A648000-memory.dmp

            Filesize

            480KB

            Download

          • memory/1244-56-0x000000001AF30000-0x000000001AFB0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1584-58-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download