Overview

overview

7

Static

static

3

memdump_E3...e0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2023, 23:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    memdump_E30_03193020_a6fe0.exe

  • Size

    667KB

  • MD5

    015fb753dee2c3553aefee19a57c08fe

  • SHA1

    6e0a0dc558965ac251796711450e54394951fc20

  • SHA256

    9ac77e13a14e9ad81b44b48d7ed3c9a73ad0c75fca74ff5271faaae6c15dd974

  • SHA512

    9f8cf9315f7a504c67fafb83d2e44cab9cabdc2a43accfe1874ecf05d9019af9ef0af14d9046d95cbd2252003b67f01d43e2bf4e502ac3cae50f16e2dd99061d

  • SSDEEP

    6144:BKUjrESZxB5+TlkJUjvvh02jwipRISx61Po4WSXp:lr3xB5+JM+6owizHx4o4WSX

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Script User-Agent 18 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\memdump_E30_03193020_a6fe0.exe
    "C:\Users\Admin\AppData\Local\Temp\memdump_E30_03193020_a6fe0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3968
    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\sysras.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\sysras.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1488
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1216

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\sysras.exe
          Filesize

          667KB

          MD5

          015fb753dee2c3553aefee19a57c08fe

          SHA1

          6e0a0dc558965ac251796711450e54394951fc20

          SHA256

          9ac77e13a14e9ad81b44b48d7ed3c9a73ad0c75fca74ff5271faaae6c15dd974

          SHA512

          9f8cf9315f7a504c67fafb83d2e44cab9cabdc2a43accfe1874ecf05d9019af9ef0af14d9046d95cbd2252003b67f01d43e2bf4e502ac3cae50f16e2dd99061d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\sysras.exe
          Filesize

          667KB

          MD5

          015fb753dee2c3553aefee19a57c08fe

          SHA1

          6e0a0dc558965ac251796711450e54394951fc20

          SHA256

          9ac77e13a14e9ad81b44b48d7ed3c9a73ad0c75fca74ff5271faaae6c15dd974

          SHA512

          9f8cf9315f7a504c67fafb83d2e44cab9cabdc2a43accfe1874ecf05d9019af9ef0af14d9046d95cbd2252003b67f01d43e2bf4e502ac3cae50f16e2dd99061d

          Download Submit

        • memory/1216-2-0x000001D899030000-0x000001D899031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-3-0x000001D899030000-0x000001D899031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-4-0x000001D899030000-0x000001D899031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-8-0x000001D899030000-0x000001D899031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-9-0x000001D899030000-0x000001D899031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-10-0x000001D899030000-0x000001D899031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-11-0x000001D899030000-0x000001D899031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-13-0x000001D899030000-0x000001D899031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-14-0x000001D899030000-0x000001D899031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-12-0x000001D899030000-0x000001D899031000-memory.dmp

          Filesize

          4KB

          Download