Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    183s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-06-2023 04:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdca79085867f759f16f8452a86fe82f0e2710d07d3b4aad3908524ba3fead0b.exe

  • Size

    763KB

  • MD5

    ff00d6b0dbc192ace7b8501bc296f70c

  • SHA1

    4c1fcc6e153add978819da0425354a9c070cf0a8

  • SHA256

    fdca79085867f759f16f8452a86fe82f0e2710d07d3b4aad3908524ba3fead0b

  • SHA512

    ebe15b008931f90dda8a710796593b5031d652618e92ecc0a15977abe2b688e0089c658d4b2942368c1284ceb034bbf0b7af1f6b023cbdbec3036ee55fb7afa9

  • SSDEEP

    12288:TMrqy90db041cEM2/PGvRPNZT8LjrGi7A36nm5cu9zNbKtPjBkhh39:pyYb51vM2/mPHojhE3/h9zd4439

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdca79085867f759f16f8452a86fe82f0e2710d07d3b4aad3908524ba3fead0b.exe
    "C:\Users\Admin\AppData\Local\Temp\fdca79085867f759f16f8452a86fe82f0e2710d07d3b4aad3908524ba3fead0b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5237077.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5237077.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4032
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3173451.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3173451.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4292
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y6834943.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y6834943.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2740
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j0020880.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j0020880.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2744
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4236
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 144
              6⤵
              • Program crash
              PID:2792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5237077.exe
    Filesize

    544KB

    MD5

    e83f2e331ba0b473db5abec5181c6356

    SHA1

    405e8ba141bba1deb92246316ee2fcf97af3eec0

    SHA256

    8d8aeabc22a7c0f73e77b815320ebbe2192ffb8907272f1def0887315f9e97f6

    SHA512

    f16e3e3e90a4521c320b4073357b601255fd7c29249ec81fd16cd287b972c5b5eb8232df8f9650783c6e6588612a68051b40e3d592c026af791cde5248d747f0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5237077.exe
    Filesize

    544KB

    MD5

    e83f2e331ba0b473db5abec5181c6356

    SHA1

    405e8ba141bba1deb92246316ee2fcf97af3eec0

    SHA256

    8d8aeabc22a7c0f73e77b815320ebbe2192ffb8907272f1def0887315f9e97f6

    SHA512

    f16e3e3e90a4521c320b4073357b601255fd7c29249ec81fd16cd287b972c5b5eb8232df8f9650783c6e6588612a68051b40e3d592c026af791cde5248d747f0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3173451.exe
    Filesize

    372KB

    MD5

    1218167261bffaf0805e36bbc63f275c

    SHA1

    ec9170472341512d8229ee0f890b0a25962d8a1d

    SHA256

    38ebc46d94cfd2596e9fd3d47ebe717224d001a29750bd086989f65762f0dc21

    SHA512

    6c5ae4e1a9e031664db4bb18f7d3b40c8fced7c535360b1fc3f0cce015374c589a984c13a3312c74c3b44fcfc3527b40053653996b059760d864df39ffcd53f1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3173451.exe
    Filesize

    372KB

    MD5

    1218167261bffaf0805e36bbc63f275c

    SHA1

    ec9170472341512d8229ee0f890b0a25962d8a1d

    SHA256

    38ebc46d94cfd2596e9fd3d47ebe717224d001a29750bd086989f65762f0dc21

    SHA512

    6c5ae4e1a9e031664db4bb18f7d3b40c8fced7c535360b1fc3f0cce015374c589a984c13a3312c74c3b44fcfc3527b40053653996b059760d864df39ffcd53f1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y6834943.exe
    Filesize

    216KB

    MD5

    18a58a3b1d890902e80e381da8d23e25

    SHA1

    81b0c4b8325f27bfd62784fb9c206f9b2f0b4862

    SHA256

    1e8e94dacdda9c8170e2f4c7f9748a811c29955a26724dc5d4e3b7960617f23d

    SHA512

    f093bd6b86ba7c2f99b5a6cab74996a384e6b5282c1700919468953a353c5680b5af5fa0418ca15bf5160a0f12bf8e6352047638558885db3ba8a928dcc4e3cd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y6834943.exe
    Filesize

    216KB

    MD5

    18a58a3b1d890902e80e381da8d23e25

    SHA1

    81b0c4b8325f27bfd62784fb9c206f9b2f0b4862

    SHA256

    1e8e94dacdda9c8170e2f4c7f9748a811c29955a26724dc5d4e3b7960617f23d

    SHA512

    f093bd6b86ba7c2f99b5a6cab74996a384e6b5282c1700919468953a353c5680b5af5fa0418ca15bf5160a0f12bf8e6352047638558885db3ba8a928dcc4e3cd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j0020880.exe
    Filesize

    139KB

    MD5

    99d7ee2c5f6ef0495a738954860cbd0b

    SHA1

    e85ddb2c2dde25bbb244e1605ca1c981c1be089d

    SHA256

    6dda06a2338ce192bb1a2c9be2825ae8f5d1797b31bb296c1076069c91b81886

    SHA512

    cd4e8df0cf506fcd5af38e3b3dfcb36c6a462b4bec44b10d3d8d3ce038dae2820f13d953a069490aa58435d4fee83a2ce2c13910f6eec8deb263eb0a1c7403ba

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j0020880.exe
    Filesize

    139KB

    MD5

    99d7ee2c5f6ef0495a738954860cbd0b

    SHA1

    e85ddb2c2dde25bbb244e1605ca1c981c1be089d

    SHA256

    6dda06a2338ce192bb1a2c9be2825ae8f5d1797b31bb296c1076069c91b81886

    SHA512

    cd4e8df0cf506fcd5af38e3b3dfcb36c6a462b4bec44b10d3d8d3ce038dae2820f13d953a069490aa58435d4fee83a2ce2c13910f6eec8deb263eb0a1c7403ba

    Download Submit
  • memory/4236-150-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download