Overview

overview

8

Static

static

3

a36d3385bd...cd.exe

windows7-x64

8

a36d3385bd...cd.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    120s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2023, 21:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a36d3385bdacdbca767a6bdec2903f8a496cf5f1a936e6fd1fa929fbcd8e9bcd.exe

  • Size

    3.1MB

  • MD5

    35e45becf24eee38bb84522c7f671e9d

  • SHA1

    6613b6f3d7a1781c31b9be5609693fe6c8967d03

  • SHA256

    a36d3385bdacdbca767a6bdec2903f8a496cf5f1a936e6fd1fa929fbcd8e9bcd

  • SHA512

    82602b00a9352d1b230f7265b0d20e96e108cf53f7fd3182db33899bfcc63daac03037a41331ee2dfe2e24ab4c5f5c0ea78810b238f79fa5ae41e6e099e2ba3a

  • SSDEEP

    49152:D7TvfU+8X9GrNOsva5RbKhF3ANkTTl693lAV3C4u6TAdC:Q+8X9G3vP3AMw3lNmMdC

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 9 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 18 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a36d3385bdacdbca767a6bdec2903f8a496cf5f1a936e6fd1fa929fbcd8e9bcd.exe
    "C:\Users\Admin\AppData\Local\Temp\a36d3385bdacdbca767a6bdec2903f8a496cf5f1a936e6fd1fa929fbcd8e9bcd.exe"
    1⤵
      PID:5096
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5108
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4440
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4548
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2956
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2496
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4124
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1772
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of SendNotifyMessage
      PID:528
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1964
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of SendNotifyMessage
      PID:3456
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3828
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:2144
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4936
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3340
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:4740
    • C:\Windows\system32\werfault.exe
      werfault.exe /hc /shared Global\d5b45853d5694f7989ba919fe4af3bb6 /t 4224 /p 4360
      1⤵
        PID:4708
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:5064
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3916
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:5116
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3960
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:1504
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3476
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
          PID:4008
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
            PID:3596
          • C:\Windows\system32\werfault.exe
            werfault.exe /hc /shared Global\a7f6dbb3673848aabd9bfc00584d9a90 /t 4144 /p 3760
            1⤵
              PID:3284
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
                PID:5104
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                  PID:672
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                    PID:3952
                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                    1⤵
                      PID:3748

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A7891822FCFF127E4EADADE9757112B
                            Filesize

                            1KB

                            MD5

                            e78f4000d56ae40ded4172f304706286

                            SHA1

                            fd0e8c0b4cd55dcde5b7312a55e3696ea03b9073

                            SHA256

                            423bb56456ca3b671a3b21c745e0ea5009eef20d0bc625c960ebfa54984a3cce

                            SHA512

                            068ed06c6028c7efc29cd8eb8a3efa893a5b9c4f27559b1e2873f6cb1bcb5a381facbea5cb0c1773e02a82d8487fd19fbb30a3eb495ffc0c7db67492b6364482

                            Download Submit

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A7891822FCFF127E4EADADE9757112B
                            Filesize

                            246B

                            MD5

                            01da0f16092f9335bb1ea43be34cbfe5

                            SHA1

                            88d1ed112fbce8309826422a5a2e1b305cd8a58a

                            SHA256

                            5f2054b3d34a57d0ae928fd23ced093fefbed5937f961334fb498d0e46b0eaec

                            SHA512

                            05351f0b86ef0bc3e42cab8774f91e49b4a5771500dae7afda4b0f979fadd965f2671e6d5e714791608601c8f1090cceb3e65f07f63aa7d0ae7c3e2788665f16

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PR67AA1Y\microsoft.windows[1].xml
                            Filesize

                            97B

                            MD5

                            82b066a0c26e9c3c026d421e012a093e

                            SHA1

                            2e4493ff239034dd93befa48a286616fa1222526

                            SHA256

                            a4c381833e51949fd261b3e7bf72873bddc61d6eaf01a83a89beda5877338d64

                            SHA512

                            4fb425137bcab122288af0df6dd2774fb9179f9c178c8c7b738e6e293d8dbe0aff97a879f42670d07c5bbc69935104b8bdcef8fd7efaee48949dd354af626feb

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133417441689451259.txt
                            Filesize

                            75KB

                            MD5

                            62d81c2e1e8b21733f95af2a596e4b18

                            SHA1

                            91c005ecc5ae4171f450c43c02d1ba532b4474c6

                            SHA256

                            a5596f83717bf64653b95ffe6ec38f20e40fd928456d5e254a53a440804d80b6

                            SHA512

                            c7f349acf55694ff696750c30a25c265ff07ced95e4d2a88fa2829d047ca3b3007dc824613a8c403c7613085aca4212155afe03f8f237c0d7781fd87e1fb8a7c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133417441968585901.txt
                            Filesize

                            75KB

                            MD5

                            62d81c2e1e8b21733f95af2a596e4b18

                            SHA1

                            91c005ecc5ae4171f450c43c02d1ba532b4474c6

                            SHA256

                            a5596f83717bf64653b95ffe6ec38f20e40fd928456d5e254a53a440804d80b6

                            SHA512

                            c7f349acf55694ff696750c30a25c265ff07ced95e4d2a88fa2829d047ca3b3007dc824613a8c403c7613085aca4212155afe03f8f237c0d7781fd87e1fb8a7c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PR67AA1Y\microsoft.windows[1].xml
                            Filesize

                            97B

                            MD5

                            82b066a0c26e9c3c026d421e012a093e

                            SHA1

                            2e4493ff239034dd93befa48a286616fa1222526

                            SHA256

                            a4c381833e51949fd261b3e7bf72873bddc61d6eaf01a83a89beda5877338d64

                            SHA512

                            4fb425137bcab122288af0df6dd2774fb9179f9c178c8c7b738e6e293d8dbe0aff97a879f42670d07c5bbc69935104b8bdcef8fd7efaee48949dd354af626feb

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PR67AA1Y\microsoft.windows[1].xml
                            Filesize

                            97B

                            MD5

                            82b066a0c26e9c3c026d421e012a093e

                            SHA1

                            2e4493ff239034dd93befa48a286616fa1222526

                            SHA256

                            a4c381833e51949fd261b3e7bf72873bddc61d6eaf01a83a89beda5877338d64

                            SHA512

                            4fb425137bcab122288af0df6dd2774fb9179f9c178c8c7b738e6e293d8dbe0aff97a879f42670d07c5bbc69935104b8bdcef8fd7efaee48949dd354af626feb

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PR67AA1Y\microsoft.windows[1].xml
                            Filesize

                            97B

                            MD5

                            82b066a0c26e9c3c026d421e012a093e

                            SHA1

                            2e4493ff239034dd93befa48a286616fa1222526

                            SHA256

                            a4c381833e51949fd261b3e7bf72873bddc61d6eaf01a83a89beda5877338d64

                            SHA512

                            4fb425137bcab122288af0df6dd2774fb9179f9c178c8c7b738e6e293d8dbe0aff97a879f42670d07c5bbc69935104b8bdcef8fd7efaee48949dd354af626feb

                            Download Submit

                          • memory/672-135-0x0000021A8D8C0000-0x0000021A8D8E0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/672-138-0x0000021A8D880000-0x0000021A8D8A0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/672-140-0x0000021A8DF20000-0x0000021A8DF40000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/1504-104-0x0000000004A20000-0x0000000004A21000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2144-64-0x0000000003F60000-0x0000000003F61000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/3340-72-0x000002974C940000-0x000002974C960000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3340-82-0x000002974CD60000-0x000002974CD80000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3340-79-0x000002974CDA0000-0x000002974CDC0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3340-76-0x000002974C900000-0x000002974C920000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3596-128-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/3916-91-0x0000029829D00000-0x0000029829D20000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3916-94-0x00000298299B0000-0x00000298299D0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3916-96-0x000002982A150000-0x000002982A170000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/4008-112-0x00000281608D0000-0x00000281608F0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/4008-115-0x0000028160890000-0x00000281608B0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/4008-119-0x0000028160CA0000-0x0000028160CC0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/4124-24-0x0000000004800000-0x0000000004801000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4440-40-0x000002F5EB9B0000-0x000002F5EB9D0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/4440-38-0x000002F5EB810000-0x000002F5EB830000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/4440-36-0x000002F5EB540000-0x000002F5EB560000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/4740-84-0x0000000004810000-0x0000000004811000-memory.dmp

                            Filesize

                            4KB

                            Download