Overview

overview

8

Static

static

1

6d3ab9e729...1d.exe

windows7-x64

8

6d3ab9e729...1d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2023 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe

  • Size

    6.9MB

  • MD5

    007a67bfa732084b3f8278b302bef49e

  • SHA1

    50c48db4fdcb0b4d464ec5fcfee2ebd7b8405e1c

  • SHA256

    6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d

  • SHA512

    f21d38109c4cf71dc117c921c35cc3fae19cc9add86963f323a2d5714eb7e6eb69179d8f530a70bd58fabb9692a1a0a5a38da29b3d51ed9572b98e9ecaf55b34

  • SSDEEP

    98304:R+fSMIs21u7XMp6d2/PkBfwYC6+6Jo66DRZ6pZzhlkLTt29s4C1eH9G:R+ftIs0u7H2HkZwI9DwRZWmTt5o9G

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 7 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies registry class 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 62 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe
    "C:\Users\Admin\AppData\Local\Temp\6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe"
    1⤵
    • Registers COM server for autorun
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3832
    • C:\Users\Public\Libraries\Installer.RemoteDesktopManager.2022.3.35.0.exe
      C:\Users\Public\Libraries\Installer.RemoteDesktopManager.2022.3.35.0.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3192
      • C:\Users\Admin\AppData\Local\Temp\is-KEA1K.tmp\Installer.RemoteDesktopManager.2022.3.35.0.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-KEA1K.tmp\Installer.RemoteDesktopManager.2022.3.35.0.tmp" /SL5="$10003E,832512,832512,C:\Users\Public\Libraries\Installer.RemoteDesktopManager.2022.3.35.0.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        PID:4900
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Users\Public\Libraries\netid1671422940.dll0,Main netid1671422940.dll0
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Modifies Control Panel
      PID:3004
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2304
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1704

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133302758530877134.txt
    Filesize

    75KB

    MD5

    65019a5db517d9fb830d8a57406a03ea

    SHA1

    817faf2ffe8461f653519e7bd96e7ee75021c891

    SHA256

    3ae88b3a99e6b785bdb44760790bc03ac722ef5b673ad5b3ca49b5cc5eecf84f

    SHA512

    bcc985d3fa48efcbb4a334b1a341a6686ef6c69f237d6d9bdcd9885696d148519ab824b9150194d783cb03189c1cc00a483f1b73ebce323f1f6a303a05b8ea62

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-KEA1K.tmp\Installer.RemoteDesktopManager.2022.3.35.0.tmp
    Filesize

    3.1MB

    MD5

    9b2231506b2a97692f6b9683460880a0

    SHA1

    226f72dcea4f8c3bfb0bb3dec4e63c2725170568

    SHA256

    b1b015f3762b4b9bfce928401a3b13beee5fb70c989b97a03d57545fc00a1978

    SHA512

    1b5be819d361fd2321b4407f1d5e56123b497848e2dfd337783b30fb9ab3c0f6a2abd7cb6ed03e3abf886ae47d76134f8d3f1f5b1de57056c6d8901dae533546

    Download Submit

  • C:\Users\Public\Libraries\Installer.RemoteDesktopManager.2022.3.35.0.exe
    Filesize

    1.6MB

    MD5

    ffdcae3b31803a83e3818714d343a975

    SHA1

    b52678a98201be08c5ce65c181a56f1959c8698c

    SHA256

    c94e889a6c9f4c37f34f75bf54e6d1b2cd7ee654cd397df348d46abe0b0f6ca3

    SHA512

    e1ae4c98ccdbfe9dd2d234bda77c3098992512fcebb4e4e275e71359925ab5ac5bb11a52cd6d30903b3b910d962c967bda03e2eb40d73dfef7ff9d4c5e2e86bc

    Download Submit

  • C:\Users\Public\Libraries\Installer.RemoteDesktopManager.2022.3.35.0.exe
    Filesize

    1.6MB

    MD5

    ffdcae3b31803a83e3818714d343a975

    SHA1

    b52678a98201be08c5ce65c181a56f1959c8698c

    SHA256

    c94e889a6c9f4c37f34f75bf54e6d1b2cd7ee654cd397df348d46abe0b0f6ca3

    SHA512

    e1ae4c98ccdbfe9dd2d234bda77c3098992512fcebb4e4e275e71359925ab5ac5bb11a52cd6d30903b3b910d962c967bda03e2eb40d73dfef7ff9d4c5e2e86bc

    Download Submit

  • C:\Users\Public\Libraries\netid1671422940.dll0
    Filesize

    2.6MB

    MD5

    6f47723e5fc6e96ab5e9f96f6bc585fa

    SHA1

    04e3be2ff570eb1a479925560103af5d22961983

    SHA256

    0501d09a219131657c54dba71faf2b9d793e466f2c7fdf6b0b3c50ec5b866b2a

    SHA512

    08a56a06e12a23ffdfc1eeed274bba2c1cee86270e6460114cc20355f05d27d99e92a0ea680a2f257675d6c368dfc72a41b901a837c85a505b1b87acae5d9e96

    Download Submit

  • C:\Users\Public\Libraries\netid1671422940.dll0
    Filesize

    2.6MB

    MD5

    6f47723e5fc6e96ab5e9f96f6bc585fa

    SHA1

    04e3be2ff570eb1a479925560103af5d22961983

    SHA256

    0501d09a219131657c54dba71faf2b9d793e466f2c7fdf6b0b3c50ec5b866b2a

    SHA512

    08a56a06e12a23ffdfc1eeed274bba2c1cee86270e6460114cc20355f05d27d99e92a0ea680a2f257675d6c368dfc72a41b901a837c85a505b1b87acae5d9e96

    Download Submit

  • C:\Users\Public\Libraries\prxyms1671422940.dll
    Filesize

    2.5MB

    MD5

    69072084fcad54dcdc386f6b8b591bc8

    SHA1

    e267e26db077a72f6ca8322993a55038b147c408

    SHA256

    65778e3afc448f89680e8de9791500d21a22e2279759d8d93e2ece2bc8dae04d

    SHA512

    238925e3936ed079146077da9e969f18da2acbcbe1656f2a0cbf08d35e381fcbfea95c74f4144f206e8b2b3378f6489a8720a8fe349bf17b030ae311f0186438

    Download Submit

  • C:\Users\Public\Libraries\prxyms1671422940.dll
    Filesize

    2.5MB

    MD5

    69072084fcad54dcdc386f6b8b591bc8

    SHA1

    e267e26db077a72f6ca8322993a55038b147c408

    SHA256

    65778e3afc448f89680e8de9791500d21a22e2279759d8d93e2ece2bc8dae04d

    SHA512

    238925e3936ed079146077da9e969f18da2acbcbe1656f2a0cbf08d35e381fcbfea95c74f4144f206e8b2b3378f6489a8720a8fe349bf17b030ae311f0186438

    Download Submit

  • C:\Users\Public\Libraries\prxyms1671422940.dll
    Filesize

    2.5MB

    MD5

    69072084fcad54dcdc386f6b8b591bc8

    SHA1

    e267e26db077a72f6ca8322993a55038b147c408

    SHA256

    65778e3afc448f89680e8de9791500d21a22e2279759d8d93e2ece2bc8dae04d

    SHA512

    238925e3936ed079146077da9e969f18da2acbcbe1656f2a0cbf08d35e381fcbfea95c74f4144f206e8b2b3378f6489a8720a8fe349bf17b030ae311f0186438

    Download Submit

  • C:\Users\Public\Libraries\update.conf
    Filesize

    260B

    MD5

    a49f17a15fe5d6caa16205c8e7479d81

    SHA1

    a964fa09db10fda85cb4b1d08d31ada5c02c47f6

    SHA256

    0062c4ec61fbb9f987a0aac1a5ec01ce3865e7cffa21873a0cada154b6ece8c3

    SHA512

    48edbe730800c157e6af0674c8b22e72543860b03f06fbe29f2bc16ba32b588151ab331038074d4486df769b4b79922ade6f6f2860a1af5a422b2860c6d5874a

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\is-kea1k.tmp\installer.remotedesktopmanager.2022.3.35.0.tmp
    Filesize

    3.1MB

    MD5

    9b2231506b2a97692f6b9683460880a0

    SHA1

    226f72dcea4f8c3bfb0bb3dec4e63c2725170568

    SHA256

    b1b015f3762b4b9bfce928401a3b13beee5fb70c989b97a03d57545fc00a1978

    SHA512

    1b5be819d361fd2321b4407f1d5e56123b497848e2dfd337783b30fb9ab3c0f6a2abd7cb6ed03e3abf886ae47d76134f8d3f1f5b1de57056c6d8901dae533546

    Download Submit

  • memory/1628-152-0x0000000003530000-0x0000000003531000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1704-159-0x00000275AD700000-0x00000275AD720000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1704-161-0x00000275AD6C0000-0x00000275AD6E0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1704-164-0x00000275ADCE0000-0x00000275ADD00000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3192-278-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/3192-327-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/3192-138-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4900-283-0x00000000027F0000-0x00000000027F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4900-282-0x0000000000400000-0x000000000071C000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4900-317-0x0000000000400000-0x000000000071C000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4900-319-0x0000000000400000-0x000000000071C000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4900-322-0x0000000000400000-0x000000000071C000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4900-324-0x0000000000400000-0x000000000071C000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4900-145-0x00000000027F0000-0x00000000027F1000-memory.dmp

    Filesize

    4KB

    Download