Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
-
submitted
19-09-2023 13:06
General
-
Target
Decra.exe
-
Size
308KB
-
MD5
8df1195087daa119e81fd0cc529c88e5
-
SHA1
52f743d2fa6fa607278dac4a2bf7a3c054252c9f
-
SHA256
d981fe00432dc5aa059884558c02276379f4cadbb7054c23962cb71122342b9d
-
SHA512
2d141a3d6879f7b39b69f3d4acf0ee5faa28d786fdb538daeabd834cff344647985eff48747cf5e8061eb583b72ca33741399be43e73c92bf4e9d8b06dd108b3
-
SSDEEP
6144:kk4DdotiH8um78UhQyZ72VQShKLzuTHDZnvU4lYgfg:r61m7rhQyZiBV4gf
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of WriteProcessMemory 9 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Decra.exe"C:\Users\Admin\AppData\Local\Temp\Decra.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Decra.exe\\?\C:\Users\Admin\AppData\Local\Temp\Decra.exe -network2⤵
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
-