Overview

overview

8

Static

static

3

4c18c9bb5b...56.exe

windows7-x64

8

4c18c9bb5b...56.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    120s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/10/2023, 07:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4c18c9bb5be03f26c481fbf27fadcaefc4bb2a769869fa2a38042bca9651e656.exe

  • Size

    3.4MB

  • MD5

    0d609b850c58e45d2ceb61a5cac27d74

  • SHA1

    32a8f45d5d99f2700c19d830c0780babbcf37c3f

  • SHA256

    4c18c9bb5be03f26c481fbf27fadcaefc4bb2a769869fa2a38042bca9651e656

  • SHA512

    34ee0aba9024b16d8f62a7f4927c152ed35c14d97f7e8581f93969824d3f88c2c9ce8c6f4ce6b879bc12a6c1a8db841c30d13bbe930774755722b34d0dbad05a

  • SSDEEP

    49152:H7TvfU+8X9GrNOsva5RbKhF3ANkTTlkKXO3GYCGUEtaOI30Rw:c+8X9G3vP3AMZO2YTUWvIkRw

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 9 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 18 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c18c9bb5be03f26c481fbf27fadcaefc4bb2a769869fa2a38042bca9651e656.exe
    "C:\Users\Admin\AppData\Local\Temp\4c18c9bb5be03f26c481fbf27fadcaefc4bb2a769869fa2a38042bca9651e656.exe"
    1⤵
      PID:4508
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2528
    • C:\Windows\system32\werfault.exe
      werfault.exe /hc /shared Global\03c1296eb83e4d07aea5597f9cbe696d /t 488 /p 2780
      1⤵
        PID:1632
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2900
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1708
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4212
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3852
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1692
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of SendNotifyMessage
        PID:224
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3748
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:2032
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3100
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:1420
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1956
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:3024
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4396
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2536
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:2528
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3772
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3444
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:532
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:2672
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
            PID:4052
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
              PID:5080
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:924
              • C:\Windows\system32\werfault.exe
                werfault.exe /hc /shared Global\842a559fa4484a80a0d9c626ac59c0e4 /t 2024 /p 924
                1⤵
                  PID:5116

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\EPO8EV36\microsoft.windows[1].xml
                        Filesize

                        97B

                        MD5

                        8d7abe47143f0a515b5f117a94ded39e

                        SHA1

                        90337a91d43d2137a8f57dc4ef6ab5755552dd19

                        SHA256

                        60a4a384e8ca0aba6e4da4e03048941baca992e1abea45ff27b85e3e91fad64d

                        SHA512

                        81a348e7652ec68c4da3bcd1f303e13f9de0b3f965b8f8580aa5fd6826780e5a866962b721285d58b0d5e46e8ad479283bf0ddfde6593d6e661657921ce6f2dd

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133424322262725671.txt
                        Filesize

                        74KB

                        MD5

                        4f88ba2ee36a85f492a7c97dbf4e7a7a

                        SHA1

                        723b6d395d51d72c44bd4b7b9898b1c8c325ffe0

                        SHA256

                        be65b98b65d333293bc5c7483490364b509a5506877ee52ede71ae6f5131daa5

                        SHA512

                        ed84fb8b2861ff185b16e325fff29e18de0a08a6bd3ec163ed75b45e9c779ce33a8d9d76b31dfe86c1be50def64b433ae8028dc7f3ecdee7487d1875d0f9e942

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133424322558928156.txt
                        Filesize

                        74KB

                        MD5

                        4f88ba2ee36a85f492a7c97dbf4e7a7a

                        SHA1

                        723b6d395d51d72c44bd4b7b9898b1c8c325ffe0

                        SHA256

                        be65b98b65d333293bc5c7483490364b509a5506877ee52ede71ae6f5131daa5

                        SHA512

                        ed84fb8b2861ff185b16e325fff29e18de0a08a6bd3ec163ed75b45e9c779ce33a8d9d76b31dfe86c1be50def64b433ae8028dc7f3ecdee7487d1875d0f9e942

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\EPO8EV36\microsoft.windows[1].xml
                        Filesize

                        97B

                        MD5

                        8d7abe47143f0a515b5f117a94ded39e

                        SHA1

                        90337a91d43d2137a8f57dc4ef6ab5755552dd19

                        SHA256

                        60a4a384e8ca0aba6e4da4e03048941baca992e1abea45ff27b85e3e91fad64d

                        SHA512

                        81a348e7652ec68c4da3bcd1f303e13f9de0b3f965b8f8580aa5fd6826780e5a866962b721285d58b0d5e46e8ad479283bf0ddfde6593d6e661657921ce6f2dd

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\EPO8EV36\microsoft.windows[1].xml
                        Filesize

                        97B

                        MD5

                        8d7abe47143f0a515b5f117a94ded39e

                        SHA1

                        90337a91d43d2137a8f57dc4ef6ab5755552dd19

                        SHA256

                        60a4a384e8ca0aba6e4da4e03048941baca992e1abea45ff27b85e3e91fad64d

                        SHA512

                        81a348e7652ec68c4da3bcd1f303e13f9de0b3f965b8f8580aa5fd6826780e5a866962b721285d58b0d5e46e8ad479283bf0ddfde6593d6e661657921ce6f2dd

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\EPO8EV36\microsoft.windows[1].xml
                        Filesize

                        97B

                        MD5

                        8d7abe47143f0a515b5f117a94ded39e

                        SHA1

                        90337a91d43d2137a8f57dc4ef6ab5755552dd19

                        SHA256

                        60a4a384e8ca0aba6e4da4e03048941baca992e1abea45ff27b85e3e91fad64d

                        SHA512

                        81a348e7652ec68c4da3bcd1f303e13f9de0b3f965b8f8580aa5fd6826780e5a866962b721285d58b0d5e46e8ad479283bf0ddfde6593d6e661657921ce6f2dd

                        Download Submit

                      • memory/224-37-0x0000000004140000-0x0000000004141000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/924-121-0x000001CA9BEC0000-0x000001CA9BEE0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/924-119-0x000001CA9B8A0000-0x000001CA9B8C0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/924-117-0x000001CA9B8E0000-0x000001CA9B900000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/1692-8-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1708-50-0x000001E6AC6E0000-0x000001E6AC700000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/1708-46-0x000001E6AC220000-0x000001E6AC240000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/1708-43-0x000001E6AC260000-0x000001E6AC280000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2528-84-0x0000000004E40000-0x0000000004E41000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2536-71-0x000001D1C9220000-0x000001D1C9240000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2536-73-0x000001D1C9630000-0x000001D1C9650000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2536-69-0x000001D1C9260000-0x000001D1C9280000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3024-61-0x0000000004A20000-0x0000000004A21000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3444-96-0x0000013D0D900000-0x0000013D0D920000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3444-94-0x0000013D0D260000-0x0000013D0D280000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3444-92-0x0000013D0D2A0000-0x0000013D0D2C0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/4052-109-0x0000000004C10000-0x0000000004C11000-memory.dmp

                        Filesize

                        4KB

                        Download