Overview

overview

7

Static

static

3

4bcbf5de07...32.exe

windows7-x64

7

4bcbf5de07...32.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    15/10/2023, 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4bcbf5de07765497b179c82c2bb884d0_exe32.exe

  • Size

    288KB

  • MD5

    4bcbf5de07765497b179c82c2bb884d0

  • SHA1

    8ad1224090c45d97ed3f24c2db51f1f145e3e585

  • SHA256

    e09f31263b05583638cb150ae1332729e4d9140a6d3e7fc9531a9e7ed8ceb6d4

  • SHA512

    61d4784176abddb0f0278004ea2a29fc6432efe820d900154f8fb5704ead432955c5e27b45c3476fc7aaec39e8fb1f3e044e1e7965b1e096cf3c43a4f0ed6714

  • SSDEEP

    6144:pQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:pQMyfmNFHfnWfhLZVHmOog

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4bcbf5de07765497b179c82c2bb884d0_exe32.exe
    "C:\Users\Admin\AppData\Local\Temp\4bcbf5de07765497b179c82c2bb884d0_exe32.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe"
        3⤵
        • Executes dropped EXE
        PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe
    Filesize

    288KB

    MD5

    576cad6e981c284291f8fb427af103d5

    SHA1

    f29c9c2e67ddb3ebf8854d4db4b12f476f61c7bd

    SHA256

    d5ba5cf43fd8ac528ecea44375654620889efd7f065e603d81e53d615d379fac

    SHA512

    9b610e3ff21bf7c0a5eab1d34e43fa803ea2531547638b81318a50711ba73f682a3257c99982969e48a19e52fb923ab5b652550f4f98a380d4a57dfbd057628b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe
    Filesize

    288KB

    MD5

    576cad6e981c284291f8fb427af103d5

    SHA1

    f29c9c2e67ddb3ebf8854d4db4b12f476f61c7bd

    SHA256

    d5ba5cf43fd8ac528ecea44375654620889efd7f065e603d81e53d615d379fac

    SHA512

    9b610e3ff21bf7c0a5eab1d34e43fa803ea2531547638b81318a50711ba73f682a3257c99982969e48a19e52fb923ab5b652550f4f98a380d4a57dfbd057628b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe
    Filesize

    288KB

    MD5

    576cad6e981c284291f8fb427af103d5

    SHA1

    f29c9c2e67ddb3ebf8854d4db4b12f476f61c7bd

    SHA256

    d5ba5cf43fd8ac528ecea44375654620889efd7f065e603d81e53d615d379fac

    SHA512

    9b610e3ff21bf7c0a5eab1d34e43fa803ea2531547638b81318a50711ba73f682a3257c99982969e48a19e52fb923ab5b652550f4f98a380d4a57dfbd057628b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe
    Filesize

    288KB

    MD5

    576cad6e981c284291f8fb427af103d5

    SHA1

    f29c9c2e67ddb3ebf8854d4db4b12f476f61c7bd

    SHA256

    d5ba5cf43fd8ac528ecea44375654620889efd7f065e603d81e53d615d379fac

    SHA512

    9b610e3ff21bf7c0a5eab1d34e43fa803ea2531547638b81318a50711ba73f682a3257c99982969e48a19e52fb923ab5b652550f4f98a380d4a57dfbd057628b

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe
    Filesize

    288KB

    MD5

    576cad6e981c284291f8fb427af103d5

    SHA1

    f29c9c2e67ddb3ebf8854d4db4b12f476f61c7bd

    SHA256

    d5ba5cf43fd8ac528ecea44375654620889efd7f065e603d81e53d615d379fac

    SHA512

    9b610e3ff21bf7c0a5eab1d34e43fa803ea2531547638b81318a50711ba73f682a3257c99982969e48a19e52fb923ab5b652550f4f98a380d4a57dfbd057628b

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe
    Filesize

    288KB

    MD5

    576cad6e981c284291f8fb427af103d5

    SHA1

    f29c9c2e67ddb3ebf8854d4db4b12f476f61c7bd

    SHA256

    d5ba5cf43fd8ac528ecea44375654620889efd7f065e603d81e53d615d379fac

    SHA512

    9b610e3ff21bf7c0a5eab1d34e43fa803ea2531547638b81318a50711ba73f682a3257c99982969e48a19e52fb923ab5b652550f4f98a380d4a57dfbd057628b

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe
    Filesize

    288KB

    MD5

    576cad6e981c284291f8fb427af103d5

    SHA1

    f29c9c2e67ddb3ebf8854d4db4b12f476f61c7bd

    SHA256

    d5ba5cf43fd8ac528ecea44375654620889efd7f065e603d81e53d615d379fac

    SHA512

    9b610e3ff21bf7c0a5eab1d34e43fa803ea2531547638b81318a50711ba73f682a3257c99982969e48a19e52fb923ab5b652550f4f98a380d4a57dfbd057628b

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe
    Filesize

    288KB

    MD5

    576cad6e981c284291f8fb427af103d5

    SHA1

    f29c9c2e67ddb3ebf8854d4db4b12f476f61c7bd

    SHA256

    d5ba5cf43fd8ac528ecea44375654620889efd7f065e603d81e53d615d379fac

    SHA512

    9b610e3ff21bf7c0a5eab1d34e43fa803ea2531547638b81318a50711ba73f682a3257c99982969e48a19e52fb923ab5b652550f4f98a380d4a57dfbd057628b

    Download Submit