Overview

overview

8

Static

static

3

59fe5bde6e...3b.exe

windows7-x64

8

59fe5bde6e...3b.exe

windows10-2004-x64

Analysis

  • max time kernel
    121s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    19/12/2023, 16:13

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    59fe5bde6e6b2618e19aae781f18963b.exe

  • Size

    7.9MB

  • MD5

    59fe5bde6e6b2618e19aae781f18963b

  • SHA1

    ac7b2e2d34e74bd353ed8159b97786777bbdfa1b

  • SHA256

    ce67a35ffec02a360bf8560e19b94a3761be6bd81fc4dcfc3f38ae4312ad8ef9

  • SHA512

    2cb2aa79a880f797918df2460048c9f69c0f09f32cc0dc9e7c4c4e0a1771f976016fe90a7e8a460eb4f9e7e87c221ce9a729b7e7fc496ad964f8a3eb60a754ce

  • SSDEEP

    196608:fWwal3dal3POal3dalGQpmal3dal3POal3dalWal3dal3POal3dalGQpmal3dald:g3UR3UGQ73UR3Ux3UR3UGQ73UR3Uq

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\59fe5bde6e6b2618e19aae781f18963b.exe
    "C:\Users\Admin\AppData\Local\Temp\59fe5bde6e6b2618e19aae781f18963b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Users\Admin\AppData\Local\Temp\59fe5bde6e6b2618e19aae781f18963b.exe
      C:\Users\Admin\AppData\Local\Temp\59fe5bde6e6b2618e19aae781f18963b.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      • System policy modification
      PID:2144
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:2968
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2824

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\59fe5bde6e6b2618e19aae781f18963b.exe
            Filesize

            7.9MB

            MD5

            1b4e0f5b8cd6e6197ef6659df7c9babd

            SHA1

            c5c04cc0e35ec3e8dc3fee5e24e30b70570c09af

            SHA256

            b260f7731daebc134acf68ae1fc87822aed2b393ebe67c28b6e321682cfe176b

            SHA512

            e4dde7ade9d554b61030adaa74b9060b0faba19e3a7f53447e532a0780a13d3c3dc93e35493e1b72e880e77ff95636e216658c67b7653190a88c16fa5faf1db6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Tar6BD2.tmp
            Filesize

            64KB

            MD5

            69b8e2fe3bb7142b759bbc3bd3092cc2

            SHA1

            c55b032e44415d77a1a2f3f6c6c049b7cc32afd7

            SHA256

            d31cf766104ab57466eca8c74b0b1dc3f7729270b60df98dde747087ec3e8bb4

            SHA512

            c3b3ca6861a0e35822f0c5b6085f7fc1444b051548aec4362723d1b7a14b72cd832335ca29eea23ce8f9fb71f4ac76c6bf2b58a220722e7843461bf095970b7b

            Download Submit

          • \Users\Admin\AppData\Local\Temp\59fe5bde6e6b2618e19aae781f18963b.exe
            Filesize

            7.2MB

            MD5

            db8a9436110ba6cd1d929727d301b572

            SHA1

            056d12230e8da864b57e5d7a3ba4aa98ef969605

            SHA256

            4f78d2f58d0b4b36bdb11a5dc4a6c82f3275586c6baff063d6c8c5a2e7242637

            SHA512

            60a364e5f58a081318583d08c4887fe59eb143de0c51071fa5678e0c7abec28ff69c94d209179cc29a10247cb5cf468873384c465859311a278abbb377b7a39b

            Download Submit

          • memory/2144-11-0x0000000000400000-0x0000000000472000-memory.dmp

            Filesize

            456KB

            Download

          • memory/2144-13-0x0000000000360000-0x00000000003D2000-memory.dmp

            Filesize

            456KB

            Download

          • memory/2144-12-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/2144-20-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/2144-63-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/2356-6-0x0000000000120000-0x0000000000192000-memory.dmp

            Filesize

            456KB

            Download

          • memory/2356-0-0x0000000000400000-0x0000000000472000-memory.dmp

            Filesize

            456KB

            Download

          • memory/2356-9-0x0000000000400000-0x0000000000472000-memory.dmp

            Filesize

            456KB

            Download

          • memory/2824-65-0x0000000003ED0000-0x0000000003ED1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2824-66-0x0000000003ED0000-0x0000000003ED1000-memory.dmp

            Filesize

            4KB

            Download