Overview

overview

10

Static

static

3

9cd4cebf8b...fa.exe

windows7-x64

10

9cd4cebf8b...fa.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 13:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9cd4cebf8b04cd6864b59e4c0cf4aafa.exe

  • Size

    654KB

  • MD5

    9cd4cebf8b04cd6864b59e4c0cf4aafa

  • SHA1

    2287faa3026c5981f3796268112998ac1c06c5d3

  • SHA256

    748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7

  • SHA512

    03ec7b69a8f616ab4254429499d80e5b5e7e28c1b44b418b446f6a341bdc77393482cd790764981498c6d54d2ffd0d32c118c45dee056d681533167f7b83359d

  • SSDEEP

    12288:MkzXMinmtrfsNG9USY7x3lgSsIXlYlOHls2E/qZaTcMUJnGHqsvXX1tfLs:LjArfCG+nN3aNIXNFZ5R1GHqsvDI

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 23 IoCs
  • Modifies registry class 37 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      2⤵
        PID:4032
      • C:\Windows\System32\mousocoreworker.exe
        C:\Windows\System32\mousocoreworker.exe -Embedding
        2⤵
          PID:2328
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
          2⤵
            PID:4136
          • C:\Windows\system32\backgroundTaskHost.exe
            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
            2⤵
              PID:4368
            • C:\Windows\system32\backgroundTaskHost.exe
              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
              2⤵
                PID:2708
              • C:\Windows\system32\backgroundTaskHost.exe
                "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                2⤵
                  PID:3544
                • C:\Windows\system32\BackgroundTransferHost.exe
                  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                  2⤵
                    PID:4828
                  • C:\Windows\system32\backgroundTaskHost.exe
                    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                    2⤵
                      PID:32
                    • C:\Windows\system32\BackgroundTransferHost.exe
                      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                      2⤵
                        PID:4496
                      • C:\Windows\system32\BackgroundTransferHost.exe
                        "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                        2⤵
                          PID:4928
                        • C:\Windows\system32\backgroundTaskHost.exe
                          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                          2⤵
                            PID:2196
                          • C:\Windows\system32\BackgroundTaskHost.exe
                            "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
                            2⤵
                              PID:4904
                            • C:\Windows\System32\RuntimeBroker.exe
                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                              2⤵
                                PID:1852
                            • C:\Users\Admin\AppData\Local\Temp\9cd4cebf8b04cd6864b59e4c0cf4aafa.exe
                              "C:\Users\Admin\AppData\Local\Temp\9cd4cebf8b04cd6864b59e4c0cf4aafa.exe"
                              1⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4988
                            • C:\Users\Admin\AppData\Local\Temp\pcftxel.exe
                              C:\Users\Admin\AppData\Local\Temp\pcftxel.exe
                              1⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:3940
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 684
                                2⤵
                                • Program crash
                                PID:892
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 692
                                2⤵
                                • Program crash
                                PID:2292
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3940 -ip 3940
                              1⤵
                                PID:3616
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3940 -ip 3940
                                1⤵
                                  PID:2988

                                Network

                                MITRE ATT&CK Matrix ATT&CK v13

                                Initial Access

                                Execution

                                Persistence

                                Privilege Escalation

                                Defense Evasion

                                Credential Access

                                Discovery

                                Query Registry

                                1
                                T1012

                                Peripheral Device Discovery

                                1
                                T1120

                                System Information Discovery

                                1
                                T1082

                                Lateral Movement

                                Collection

                                Exfiltration

                                Command and Control

                                Impact

                                Resource Development

                                Reconnaissance

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\csllzaa
                                  Filesize

                                  654B

                                  MD5

                                  0269b753ce2098e66dd7fd2068a9e0dc

                                  SHA1

                                  49c5ebe8e401c72b1ebc5154687a90bee292899d

                                  SHA256

                                  fd5aebc0b5e385e9b9dd08ae905082d69783bfde3a26ba039b7069fdc73d9456

                                  SHA512

                                  26fb7fa4fcc67d5c9b9e7b413bdb3a6d744430e243cd29ae986e319c25bfd1f09289300b4351a11b31d46a9997e189adacc7238edc5ba55deefe4216f9f8caed

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Temp\pcftxel.exe
                                  Filesize

                                  654KB

                                  MD5

                                  9cd4cebf8b04cd6864b59e4c0cf4aafa

                                  SHA1

                                  2287faa3026c5981f3796268112998ac1c06c5d3

                                  SHA256

                                  748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7

                                  SHA512

                                  03ec7b69a8f616ab4254429499d80e5b5e7e28c1b44b418b446f6a341bdc77393482cd790764981498c6d54d2ffd0d32c118c45dee056d681533167f7b83359d

                                  Download Submit
                                • memory/812-17-0x000000000D4E0000-0x000000000D557000-memory.dmp
                                  Filesize

                                  476KB

                                  Download
                                • memory/812-9-0x000000000D4E0000-0x000000000D557000-memory.dmp
                                  Filesize

                                  476KB

                                  Download
                                • memory/812-11-0x000000000D4E0000-0x000000000D557000-memory.dmp
                                  Filesize

                                  476KB

                                  Download
                                • memory/812-12-0x000000000D4E0000-0x000000000D557000-memory.dmp
                                  Filesize

                                  476KB

                                  Download
                                • memory/812-15-0x000000000D4E0000-0x000000000D557000-memory.dmp
                                  Filesize

                                  476KB

                                  Download
                                • memory/812-21-0x000000000D4E0000-0x000000000D557000-memory.dmp
                                  Filesize

                                  476KB

                                  Download
                                • memory/812-48-0x000000000D4E0000-0x000000000D557000-memory.dmp
                                  Filesize

                                  476KB

                                  Download
                                • memory/812-215-0x000000000D4E0000-0x000000000D557000-memory.dmp
                                  Filesize

                                  476KB

                                  Download
                                • memory/812-3331-0x000000000D4E0000-0x000000000D557000-memory.dmp
                                  Filesize

                                  476KB

                                  Download
                                • memory/3940-6-0x0000000000B40000-0x0000000000D8B000-memory.dmp
                                  Filesize

                                  2.3MB

                                  Download
                                • memory/4988-1-0x0000000000E20000-0x000000000106B000-memory.dmp
                                  Filesize

                                  2.3MB

                                  Download
                                • memory/4988-0-0x0000000000C00000-0x0000000000E1A000-memory.dmp
                                  Filesize

                                  2.1MB

                                  Download