Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    165s
  • max time network
    177s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-06-2023 04:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b25c4c1635384ea4f499c700ba5e0fb57b1c0c1cff4d7bb86c60add4daa61118.exe

  • Size

    763KB

  • MD5

    572f8be36ba2d9a97f3696e7eeb7a67a

  • SHA1

    61a7e834ef1e995ff08ba4f5c25978a87f0ee731

  • SHA256

    b25c4c1635384ea4f499c700ba5e0fb57b1c0c1cff4d7bb86c60add4daa61118

  • SHA512

    b08110cb24cd3b6cb30165f56a96639d8735bd269ac2c63494cecd32faa0088e7729cc673b0b8916888d57091a856d90afa940d0c56dee7cfbce7bbf9e3e726d

  • SSDEEP

    12288:pMrCy90cbqU4jROmJ4TURctkX524t/C15XzwXaFtTGC4Hu0Kt:byKGT0/p24hCfXUX8j0A

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b25c4c1635384ea4f499c700ba5e0fb57b1c0c1cff4d7bb86c60add4daa61118.exe
    "C:\Users\Admin\AppData\Local\Temp\b25c4c1635384ea4f499c700ba5e0fb57b1c0c1cff4d7bb86c60add4daa61118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8927354.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8927354.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1795025.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1795025.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3020970.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3020970.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j0254335.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j0254335.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4976
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4440
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 152
              6⤵
              • Program crash
              PID:1020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8927354.exe
    Filesize

    548KB

    MD5

    a4471f47f4df712245c0fafab65ec8e7

    SHA1

    d4d28f8df1360b40612a3e97a48abb703612da5c

    SHA256

    cc9f32a139638183d5e7c65d827a39f85eaab6012e61331f1d2704c593a0ad56

    SHA512

    0e1af5d141d0da3ce069c0b0e2e21748a8fb35b155b8354945ae1b7c93ffeb5305bb9cf5c5a2f0cc6daefcd34316bb46ed3e1a958e2fcbd884f24947cbe22145

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8927354.exe
    Filesize

    548KB

    MD5

    a4471f47f4df712245c0fafab65ec8e7

    SHA1

    d4d28f8df1360b40612a3e97a48abb703612da5c

    SHA256

    cc9f32a139638183d5e7c65d827a39f85eaab6012e61331f1d2704c593a0ad56

    SHA512

    0e1af5d141d0da3ce069c0b0e2e21748a8fb35b155b8354945ae1b7c93ffeb5305bb9cf5c5a2f0cc6daefcd34316bb46ed3e1a958e2fcbd884f24947cbe22145

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1795025.exe
    Filesize

    376KB

    MD5

    3a162233edc58e99e03a6e9cd7820a50

    SHA1

    2cdd282003214a2b8038cdf31591e9719953c50b

    SHA256

    de09c9158f209ced75634decc0db9edf5bc6905be5053220b31feb8bb883075a

    SHA512

    c3b37750392fa3b6b755155cde2fbbba4692420fb058e3d41c038f337b71e8e091e91c39055f5ffd961fcbd66b84900f330a7f833e5d1a0168a27f15e9642d65

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1795025.exe
    Filesize

    376KB

    MD5

    3a162233edc58e99e03a6e9cd7820a50

    SHA1

    2cdd282003214a2b8038cdf31591e9719953c50b

    SHA256

    de09c9158f209ced75634decc0db9edf5bc6905be5053220b31feb8bb883075a

    SHA512

    c3b37750392fa3b6b755155cde2fbbba4692420fb058e3d41c038f337b71e8e091e91c39055f5ffd961fcbd66b84900f330a7f833e5d1a0168a27f15e9642d65

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3020970.exe
    Filesize

    220KB

    MD5

    575eaa92b06376855d43ae6533ead62e

    SHA1

    bed05fbda15290594fd8490e3e2b46ec37235f5f

    SHA256

    eb0497814821c2333d6b1af2779c1effa090650f8ff187779a4bcd28f8026e0d

    SHA512

    8fade9df5b52972795aa4423d4f12ebf01016defd47b67f83205151aa083d5979ff78b692816493a6d965ae4175f87105720ee7058cc30f0205b01aefd15b626

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3020970.exe
    Filesize

    220KB

    MD5

    575eaa92b06376855d43ae6533ead62e

    SHA1

    bed05fbda15290594fd8490e3e2b46ec37235f5f

    SHA256

    eb0497814821c2333d6b1af2779c1effa090650f8ff187779a4bcd28f8026e0d

    SHA512

    8fade9df5b52972795aa4423d4f12ebf01016defd47b67f83205151aa083d5979ff78b692816493a6d965ae4175f87105720ee7058cc30f0205b01aefd15b626

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j0254335.exe
    Filesize

    147KB

    MD5

    5b4a9679e7888dd4ceb9017816ec6a34

    SHA1

    e638ea896f6610047c3df2c16b88cc52476fbe3e

    SHA256

    015421629142f9daea1df4fdfe3d0c116363794603f11170233809919807f3f0

    SHA512

    13f9b043fea6c751886cdece525fb290bbd89595d49475b59af152a16e3f1adc6040c890a23c06c752a63fb8206c3909f4219f1f577be99d791fc8d89aafc5c5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j0254335.exe
    Filesize

    147KB

    MD5

    5b4a9679e7888dd4ceb9017816ec6a34

    SHA1

    e638ea896f6610047c3df2c16b88cc52476fbe3e

    SHA256

    015421629142f9daea1df4fdfe3d0c116363794603f11170233809919807f3f0

    SHA512

    13f9b043fea6c751886cdece525fb290bbd89595d49475b59af152a16e3f1adc6040c890a23c06c752a63fb8206c3909f4219f1f577be99d791fc8d89aafc5c5

    Download Submit
  • memory/4440-149-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download