Overview

overview

10

Static

static

3

14287df8a3...73.exe

windows7-x64

10

14287df8a3...73.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2023, 21:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14287df8a3f5589f8468c7cb251f2373.exe

  • Size

    76KB

  • MD5

    14287df8a3f5589f8468c7cb251f2373

  • SHA1

    d76437768f86735273491fe26390e35ea53596b8

  • SHA256

    9adcd3f4f01336f3feec290a1a2ae01fec67a09078547c574cca225c710a403d

  • SHA512

    760f0e6d1a3e827d59bc982d14622848da1a835f35b0538a16d18886fe54a09543c2769a0bd62b25adc14ee2997cd4adc93560a4d39030a05808816a3b134075

  • SSDEEP

    768:RZVy+DZ4mV+RMO2rhgFwuqCbxTGy/BBGg4NKhLU4dhbDW2+Kv00dX0vN0TlT+Xya:7amlu3hbBGy3G8nhMpDz

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 27 IoCs
  • Modifies registry class 36 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14287df8a3f5589f8468c7cb251f2373.exe
    "C:\Users\Admin\AppData\Local\Temp\14287df8a3f5589f8468c7cb251f2373.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3036
    • \??\c:\Documents and Settings\Admin\Application Data\Microsoft\ncsa.exe
      "c:\Documents and Settings\Admin\Application Data\Microsoft\ncsa.exe" 14287df8a3f5589f8468c7cb251f2373
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4212

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\ncsa.exe
    Filesize

    76KB

    MD5

    21e5fe5ca6eddf8c1f1838963a0a2baf

    SHA1

    a496821a632741acae36d12656c19a8fbbc2da24

    SHA256

    f072f422e0180ccd6d8eed52195833333bb9d9fa44a19837e0027ee96b3a7654

    SHA512

    48bf58582454dbf28d7a5f92dc14572d30bf76a06aed8c02fb2f3d683226b88cbfe5f29eed1ff1a59fdea9755e2252d3e0df9b5cdac6763a56d7ce005e6661c0

    Download Submit

  • \??\c:\windows\SysWOW64\Windows 3D.scr
    Filesize

    76KB

    MD5

    433d2ffac69d00ed101afcc7fd631496

    SHA1

    0b45c0293699282619d6e188e44714893d49c2e5

    SHA256

    dfc48b0e57bd852d4909214001f9b139b43e5b4387c213a1365bce2e260a6279

    SHA512

    eedc66abfdcd4c42b0e63d5767be82a4001ab991d9d4eeededcb655bd12649b65f4888b34fce42abe21902392434389006b7964843c3db36fc4cffdad3627921

    Download Submit

  • \??\c:\windows\SysWOW64\maxtrox.txt
    Filesize

    8B

    MD5

    24865ca220aa1936cbac0a57685217c5

    SHA1

    37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

    SHA256

    841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

    SHA512

    c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

    Download Submit