Overview

overview

8

Static

static

3

b63173182f...a1.exe

windows7-x64

8

b63173182f...a1.exe

windows10-2004-x64

8

Resubmissions

25/08/2023, 12:34

230825-pr95kade4w 8

25/08/2023, 12:29

230825-pn7j9sbf78 8

Analysis

  • max time kernel
    32s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2023, 12:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b63173182f3f2f00b9ae41581579d9515f423b942fd87019d81b99d9451806a1.exe

  • Size

    1.2MB

  • MD5

    5396f9a4b3baee2f1a1b9448445524d4

  • SHA1

    eb203565ce0b33a6b83e9081db6fb45e6e0b07e1

  • SHA256

    b63173182f3f2f00b9ae41581579d9515f423b942fd87019d81b99d9451806a1

  • SHA512

    e1967ea8a15d70c239bed37b6c86f50c70325bf79de17970adf59034024e4556ab1e41b48ed9e1c52b3f3c236af0d00fe6125586c3bf38756d3c37777b16b92c

  • SSDEEP

    12288:0lSi2oPB+GnrplXVIxJmxwn+/Cg1gPTxGq/GeQgf57jBpGCn:0oyBxnNllInmFgPEKLQ45fB9

Score
8/10
discoveryevasionpersistence

Malware Config

Signatures

  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Kills process with taskkill 7 IoCs
    evasion
  • Modifies registry class 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b63173182f3f2f00b9ae41581579d9515f423b942fd87019d81b99d9451806a1.exe
    "C:\Users\Admin\AppData\Local\Temp\b63173182f3f2f00b9ae41581579d9515f423b942fd87019d81b99d9451806a1.exe"
    1⤵
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im kavsvc.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im qwq.kxp
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2308
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Rav.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:584
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Ravmon.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:372
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im 360tray.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2080
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im VsTskMgr.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3040
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Mcshield.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:628
    • C:\Windows\SysWOW64\takeown.exe
      takeown /f C:\ /r /d y
      2⤵
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:9628

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads