Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    177s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-06-2023 04:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09165d1bb48ef976dac9b9cee3c66d2a2bf5c36b455f480c5db49cd0ab50865d.exe

  • Size

    757KB

  • MD5

    f19fa90ff55e27340dd39410e6dffd39

  • SHA1

    6ff2b0805f5766dfeb73ffb74bb5bee154a33222

  • SHA256

    09165d1bb48ef976dac9b9cee3c66d2a2bf5c36b455f480c5db49cd0ab50865d

  • SHA512

    431076378298da465fac2cf50680cd66d868949724e6d98ec8f0e5681aee799edadb3428f19957602b7ad6c8e47a40e9850df403cc3304d540bcf2da90188b15

  • SSDEEP

    12288:aMrly905KP0huYxgMOj1rZed5MA76VesQjREgZ/lzvBR7A6UsbjpisKe4z+0e:fyLP0NqMeZG5v76VesQ9EM/lzvT7NUsP

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09165d1bb48ef976dac9b9cee3c66d2a2bf5c36b455f480c5db49cd0ab50865d.exe
    "C:\Users\Admin\AppData\Local\Temp\09165d1bb48ef976dac9b9cee3c66d2a2bf5c36b455f480c5db49cd0ab50865d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3236
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9653224.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9653224.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3912
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9180950.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9180950.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5100
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5428767.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5428767.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4808
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j8855625.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j8855625.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2012
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4248
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 144
              6⤵
              • Program crash
              PID:3836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9653224.exe
    Filesize

    541KB

    MD5

    e04b4c081f4036dee5bee4d15ccc948e

    SHA1

    d6bdfae5c1cf2a8612afa43f31570e25c8825b0a

    SHA256

    6015a4de2702e6fc2e3c6ee8a5d0d095e3c12f49e3051d25fe7bd4e6f1fe59d6

    SHA512

    93a5687a4bdbbf0197ca1772faf52e3064a7c8f368b02d6e573663b50acd1ea2803a9d1ddddd27132da5c030a0978e58ae99ef758dfd2fbc54cace19d1c8f18f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9653224.exe
    Filesize

    541KB

    MD5

    e04b4c081f4036dee5bee4d15ccc948e

    SHA1

    d6bdfae5c1cf2a8612afa43f31570e25c8825b0a

    SHA256

    6015a4de2702e6fc2e3c6ee8a5d0d095e3c12f49e3051d25fe7bd4e6f1fe59d6

    SHA512

    93a5687a4bdbbf0197ca1772faf52e3064a7c8f368b02d6e573663b50acd1ea2803a9d1ddddd27132da5c030a0978e58ae99ef758dfd2fbc54cace19d1c8f18f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9180950.exe
    Filesize

    369KB

    MD5

    d28218022e0b5c21c862730bd48b1dbf

    SHA1

    20bbd2199c3fc27228da17114162d4b34effa325

    SHA256

    0e2b85faabfdddcf5f1db306fc7484fb0c44d5adf29dfabaf57a4a3715b9a454

    SHA512

    3c98f65475c0dcac6718a3f9d4bd708f81cf2f6ae7af52d9eec93466cba1e8ba5d6f5e040ea51010b9520d2d40afe3151df2516ccc1a2a13a841ccd3018c69d5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9180950.exe
    Filesize

    369KB

    MD5

    d28218022e0b5c21c862730bd48b1dbf

    SHA1

    20bbd2199c3fc27228da17114162d4b34effa325

    SHA256

    0e2b85faabfdddcf5f1db306fc7484fb0c44d5adf29dfabaf57a4a3715b9a454

    SHA512

    3c98f65475c0dcac6718a3f9d4bd708f81cf2f6ae7af52d9eec93466cba1e8ba5d6f5e040ea51010b9520d2d40afe3151df2516ccc1a2a13a841ccd3018c69d5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5428767.exe
    Filesize

    214KB

    MD5

    49e98eae6b8c5eee6c9a97630f1bb2f0

    SHA1

    b91123187d495296806ea9527385f36f102a2d3b

    SHA256

    243f091e8c6011ac7c5082a137030873b32b057d649d70fbf4d50725538dffed

    SHA512

    4d4b9a756356517c3215028bc77a0396d294996fc4780d6cca82c47f8a591eb4292ae9d6004b9979524f7556c000da303671d272fcaeb33fee09eada8da66e81

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5428767.exe
    Filesize

    214KB

    MD5

    49e98eae6b8c5eee6c9a97630f1bb2f0

    SHA1

    b91123187d495296806ea9527385f36f102a2d3b

    SHA256

    243f091e8c6011ac7c5082a137030873b32b057d649d70fbf4d50725538dffed

    SHA512

    4d4b9a756356517c3215028bc77a0396d294996fc4780d6cca82c47f8a591eb4292ae9d6004b9979524f7556c000da303671d272fcaeb33fee09eada8da66e81

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j8855625.exe
    Filesize

    143KB

    MD5

    96536ef5b1eb8b93c8182988954362ff

    SHA1

    92353b18b9aa7d16fab0fe3da4d99b9c7abec5a0

    SHA256

    aa7fa3819d07fac778e9a95e99e48fcf3ee47bcee2d66cabfcfb43d872fe2dff

    SHA512

    acfc986d39c6528343a3d0ee27092c749f1fe2590a24e03af3017508816adbf08b531b55777e0183a14b1076d336ac5facd05eea4d6116e8812a3053504635d1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j8855625.exe
    Filesize

    143KB

    MD5

    96536ef5b1eb8b93c8182988954362ff

    SHA1

    92353b18b9aa7d16fab0fe3da4d99b9c7abec5a0

    SHA256

    aa7fa3819d07fac778e9a95e99e48fcf3ee47bcee2d66cabfcfb43d872fe2dff

    SHA512

    acfc986d39c6528343a3d0ee27092c749f1fe2590a24e03af3017508816adbf08b531b55777e0183a14b1076d336ac5facd05eea4d6116e8812a3053504635d1

    Download Submit
  • memory/4248-148-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download