Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    179s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-06-2023 04:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20ad54843f6b794f29cb2405c2e9c4e613bbe7d3a7471f1b2be4475061dc9e33.exe

  • Size

    767KB

  • MD5

    79a5352ba85efe5195ff8dc6cab2ee90

  • SHA1

    50fc48e7e0c793eb1c9fa4ec817cb79467c0cfbc

  • SHA256

    20ad54843f6b794f29cb2405c2e9c4e613bbe7d3a7471f1b2be4475061dc9e33

  • SHA512

    d837099ffe93a236e18de1e0a2285fd41cfecf95043b1ad3e2491aee0b3e7ce3653f23e661741a040a57602ac7335692d8044365f27c21ef444756b6aa0e0747

  • SSDEEP

    12288:wMr+y90TGNIcEgz9CD0X9PObAs7Yt1Gj/8kGKO6sqf9RikBfBhiI+npiWO1fbRTu:eyWa9CDmUAs7YtwqjifbikjQrpiWOPSF

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20ad54843f6b794f29cb2405c2e9c4e613bbe7d3a7471f1b2be4475061dc9e33.exe
    "C:\Users\Admin\AppData\Local\Temp\20ad54843f6b794f29cb2405c2e9c4e613bbe7d3a7471f1b2be4475061dc9e33.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6786656.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6786656.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3668
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4492066.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4492066.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4120
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9828602.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9828602.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4116
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j8533872.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j8533872.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4072
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1820
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 148
              6⤵
              • Program crash
              PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6786656.exe
    Filesize

    546KB

    MD5

    08df2cbd7106f105e6621f5daa16a135

    SHA1

    68471ed83f5e3f0b25e77b7131ff6b38bc5267e7

    SHA256

    d20945b71f8e9277bfd2ef440f660f2d3aed8186f128bc727ff8b7ad738e57a4

    SHA512

    dfdca0e25e01e06a12be1eca18eb92e9b36e27be0e34eab9a232f84af136feda0be0aaecb2ce31db115ee72d31a85ac25c404f7be4228738803034dbb75f43f7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6786656.exe
    Filesize

    546KB

    MD5

    08df2cbd7106f105e6621f5daa16a135

    SHA1

    68471ed83f5e3f0b25e77b7131ff6b38bc5267e7

    SHA256

    d20945b71f8e9277bfd2ef440f660f2d3aed8186f128bc727ff8b7ad738e57a4

    SHA512

    dfdca0e25e01e06a12be1eca18eb92e9b36e27be0e34eab9a232f84af136feda0be0aaecb2ce31db115ee72d31a85ac25c404f7be4228738803034dbb75f43f7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4492066.exe
    Filesize

    373KB

    MD5

    f02c20cf74dcb76be7acab76ac6785c1

    SHA1

    ff59d3bf1005b2df42929361d4eb20da915444a8

    SHA256

    cdd919afccca22a1d3aa3611e474a357d4521d7a362c4065bc51cd2993e57cf0

    SHA512

    a7e94cf273c485cbdacfe4193d515cdb9ef0809bfaecea58498cfb223e8ddc1ca5ad8e63daacb761c9bacdc340638383fe22c35b634d66eac4c39c710d2d09f4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4492066.exe
    Filesize

    373KB

    MD5

    f02c20cf74dcb76be7acab76ac6785c1

    SHA1

    ff59d3bf1005b2df42929361d4eb20da915444a8

    SHA256

    cdd919afccca22a1d3aa3611e474a357d4521d7a362c4065bc51cd2993e57cf0

    SHA512

    a7e94cf273c485cbdacfe4193d515cdb9ef0809bfaecea58498cfb223e8ddc1ca5ad8e63daacb761c9bacdc340638383fe22c35b634d66eac4c39c710d2d09f4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9828602.exe
    Filesize

    218KB

    MD5

    c15f5cb383d94c2ad4a4e0c178362717

    SHA1

    1626f71100aecd2d9a72b184dc44c8eca12d6f85

    SHA256

    0c82a74f4efb8eac4b624525e82e2f934bd69d05a0d0559276a3e8afa5f3a922

    SHA512

    150e33962c42ebe9effdbe85e5230b091c6a4d721c0e06a12c300e8cbb9adcb82a7bcb6a34f6258c27723f81bb9abbdc24bed5bcbfa8cd52cad52978cc5ae31d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9828602.exe
    Filesize

    218KB

    MD5

    c15f5cb383d94c2ad4a4e0c178362717

    SHA1

    1626f71100aecd2d9a72b184dc44c8eca12d6f85

    SHA256

    0c82a74f4efb8eac4b624525e82e2f934bd69d05a0d0559276a3e8afa5f3a922

    SHA512

    150e33962c42ebe9effdbe85e5230b091c6a4d721c0e06a12c300e8cbb9adcb82a7bcb6a34f6258c27723f81bb9abbdc24bed5bcbfa8cd52cad52978cc5ae31d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j8533872.exe
    Filesize

    141KB

    MD5

    d74eecd8bf1cddf47b28aa8750f237a0

    SHA1

    db78fa68f926732edaa1a4347e73cf607f3d833e

    SHA256

    9715629de13395b5e03ea716b8998d3023ddd70519d7dcb6688988cc8cf7336a

    SHA512

    b47961f1a69f8cd328bd23964574a4b4348ab482e9085fdcb994bde0eab991ad1144de20e909e124ab4e4ef65435a335238f3a0fa82a6799904a954ecb5fd8ee

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j8533872.exe
    Filesize

    141KB

    MD5

    d74eecd8bf1cddf47b28aa8750f237a0

    SHA1

    db78fa68f926732edaa1a4347e73cf607f3d833e

    SHA256

    9715629de13395b5e03ea716b8998d3023ddd70519d7dcb6688988cc8cf7336a

    SHA512

    b47961f1a69f8cd328bd23964574a4b4348ab482e9085fdcb994bde0eab991ad1144de20e909e124ab4e4ef65435a335238f3a0fa82a6799904a954ecb5fd8ee

    Download Submit
  • memory/1820-148-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download