Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    55s
  • max time network
    186s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-06-2023 04:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74398e2525fb40b7bcbb7be1db8c765d33257cacbabbf44d38d5d7c387ea0958.exe

  • Size

    758KB

  • MD5

    13499eab406c0a48dcf39dda4aa38e19

  • SHA1

    7bde52bbb83557923b367462cab76b484949c4fc

  • SHA256

    74398e2525fb40b7bcbb7be1db8c765d33257cacbabbf44d38d5d7c387ea0958

  • SHA512

    3fd55ffbce197423d3bd8e3f7e35ef31365a542404349a424626afcca1347176897a5def788fe912a3ec0aa35a069af5db8ce952cd414002a90e5e4d589ad4e0

  • SSDEEP

    12288:kMrKy90Hsvj1Z520YjN4f0ggFgcZH2i1IlnBTKIyYjLXX/tLMpviwEFmTi33X6RR:OyTb1ZM0YjN4fAiU7IGIyWLXVAnEFmTV

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74398e2525fb40b7bcbb7be1db8c765d33257cacbabbf44d38d5d7c387ea0958.exe
    "C:\Users\Admin\AppData\Local\Temp\74398e2525fb40b7bcbb7be1db8c765d33257cacbabbf44d38d5d7c387ea0958.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8598814.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8598814.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4660
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4405986.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4405986.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5108
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4497591.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4497591.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1568
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j0555529.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j0555529.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4040
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4788
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 568
              6⤵
              • Program crash
              PID:4336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8598814.exe
    Filesize

    542KB

    MD5

    aa19b04f6fba786acfa6da472210f5fc

    SHA1

    a0aad2323563071eb7ab20ba384035d52f1a3d45

    SHA256

    6140d5ff3e1521752e5086a305a5ee000f031b8700628a92096172f4b13f9237

    SHA512

    cfe271798196a0a9e913b986a4d797c377b404def2aa495034fd14507b8656ba9c1a26522ed2bf13003f497b9098a723fa24ee7f814bc921f385b0d41679c997

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8598814.exe
    Filesize

    542KB

    MD5

    aa19b04f6fba786acfa6da472210f5fc

    SHA1

    a0aad2323563071eb7ab20ba384035d52f1a3d45

    SHA256

    6140d5ff3e1521752e5086a305a5ee000f031b8700628a92096172f4b13f9237

    SHA512

    cfe271798196a0a9e913b986a4d797c377b404def2aa495034fd14507b8656ba9c1a26522ed2bf13003f497b9098a723fa24ee7f814bc921f385b0d41679c997

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4405986.exe
    Filesize

    370KB

    MD5

    9027b58f90b82de1d530275b22090c2b

    SHA1

    bfdaa1f90a05155a1c3b15d3e474e264bd415f5e

    SHA256

    5bb9f651c140abf54b39fc32c5d8ab92f46ba4ad34b33cbcbabfb5d4a097dbe3

    SHA512

    337255050e83fe1945f0441638ecc2db5b1eabf2f25b162add5afbf201a9d29e758dc739ad89f7c97583e6f092a6f76414501d7ef23bc3726098d7f82126fc47

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4405986.exe
    Filesize

    370KB

    MD5

    9027b58f90b82de1d530275b22090c2b

    SHA1

    bfdaa1f90a05155a1c3b15d3e474e264bd415f5e

    SHA256

    5bb9f651c140abf54b39fc32c5d8ab92f46ba4ad34b33cbcbabfb5d4a097dbe3

    SHA512

    337255050e83fe1945f0441638ecc2db5b1eabf2f25b162add5afbf201a9d29e758dc739ad89f7c97583e6f092a6f76414501d7ef23bc3726098d7f82126fc47

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4497591.exe
    Filesize

    214KB

    MD5

    67ca2d22f1895e2a0b71738e6e033a1a

    SHA1

    6dfaaa5ddd9fcfec879e3d534d980b136446a50c

    SHA256

    87193c830332be5208568100c9cf625a03befd7d17579870a5da8689b6540cb5

    SHA512

    bf41bedd9fcce2f310d12dbdb9d61ba12852d5d703113035eaa50db689d2d4f6a34795f28819b253cf64e34aa912f245e4aeaa73a8846cd77a4e96c0a2d14c1c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4497591.exe
    Filesize

    214KB

    MD5

    67ca2d22f1895e2a0b71738e6e033a1a

    SHA1

    6dfaaa5ddd9fcfec879e3d534d980b136446a50c

    SHA256

    87193c830332be5208568100c9cf625a03befd7d17579870a5da8689b6540cb5

    SHA512

    bf41bedd9fcce2f310d12dbdb9d61ba12852d5d703113035eaa50db689d2d4f6a34795f28819b253cf64e34aa912f245e4aeaa73a8846cd77a4e96c0a2d14c1c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j0555529.exe
    Filesize

    143KB

    MD5

    b872eaba38c7e18cd9dfe5efa7cca55b

    SHA1

    eb2e38ec60136fb9a469a433f07aaa9845d5ef8b

    SHA256

    d22817758c571867a536ad79f677dce57d31ccdb6ad59a7e700b77e6eb6351db

    SHA512

    0f58cab8b2080e77e2264e07d5567180d2fb497e54564c1563cb0560994fc014cc5a07ff986a0153d69927497038956857c6f75ba11479e70bb6bbaaaecd69e4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j0555529.exe
    Filesize

    143KB

    MD5

    b872eaba38c7e18cd9dfe5efa7cca55b

    SHA1

    eb2e38ec60136fb9a469a433f07aaa9845d5ef8b

    SHA256

    d22817758c571867a536ad79f677dce57d31ccdb6ad59a7e700b77e6eb6351db

    SHA512

    0f58cab8b2080e77e2264e07d5567180d2fb497e54564c1563cb0560994fc014cc5a07ff986a0153d69927497038956857c6f75ba11479e70bb6bbaaaecd69e4

    Download Submit
  • memory/4788-149-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download