Overview

overview

8

Static

static

3

0480e4cfa3...75.exe

windows7-x64

8

0480e4cfa3...75.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 15:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0480e4cfa319fada861bad6fdcae6475.exe

  • Size

    116KB

  • MD5

    0480e4cfa319fada861bad6fdcae6475

  • SHA1

    0f7d5ab1f91894d04acfedb15ba387e9ed34da08

  • SHA256

    98ba0eace481b0462e7e306f87b151a9445f6e71f676a97a9bdab77d643bc1fd

  • SHA512

    7056d7945a7e606a9df1220b9720ee9e5484f18c26be364d64c76398979625862471447d7ecd4256c948b7f9e3298e14b28290f6e8fcbbb5817691276c7829c6

  • SSDEEP

    3072:Afcl+7jQq3piXYkXzwwj2vvO9fCvou/tGWZfVwMS:l/kuwlvW9JCfn

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0480e4cfa319fada861bad6fdcae6475.exe
    "C:\Users\Admin\AppData\Local\Temp\0480e4cfa319fada861bad6fdcae6475.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Windows\helloserv.exe
      "C:\Windows\helloserv.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1664
  • C:\Windows\SysWOW64\netsh.exe
    netsh firewall set allowedprogram "C:\Windows\helloserv.exe" enable
    1⤵
    • Modifies Windows Firewall
    PID:2840
  • C:\Windows\system32\w32tm.exe
    w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
    1⤵
      PID:2800
    • C:\Windows\system32\w32tm.exe
      w32tm /config /update
      1⤵
        PID:2760
      • C:\Windows\SysWOW64\w32tm.exe
        w32tm /config /update
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2080
      • C:\Windows\SysWOW64\w32tm.exe
        w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2644

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\helloserv.config
        Filesize

        47KB

        MD5

        1a042f39b9646d2937909278383227ed

        SHA1

        b5867c2dc8e7730b6a28876fc3d84bed229ff96c

        SHA256

        38f92478c08e20cd1d4dd875cb3bdc00256137a25572b651aceb4186f9977e16

        SHA512

        53142b822a95c63f30a4e27e3e76ec45355a4344dafcaf818d3c3056603e189c7b6fb127932f10ced56473775c31966f4937ab72fd0687288c31c4d34926d5b1

        Download Submit

      • C:\Windows\helloserv.config
        Filesize

        3KB

        MD5

        cd98b5b809847fafcdc44fba042427da

        SHA1

        dfbac178fa22b66b6430c2b18044333ed7ceef52

        SHA256

        f01d42b7bbc301044ad2b0523946473640d6863051e58a7c021e0b2474141cef

        SHA512

        c99b553e62a993c33c62ec5da20be81c4bb4dc69595ca7c471f05de00d22aefd3c43e583cbc8ad79e2e25b351b3d30f91f90f4ec605cd60cfab5507c93b15205

        Download Submit

      • C:\Windows\helloserv.config
        Filesize

        4KB

        MD5

        c227361b3fbaaf37951e2ba3e831d08b

        SHA1

        b49d16a86a03a9c2ef84b5ec345182e17a410e42

        SHA256

        23054a45d6c2beddc6169f75a7170157b4d15b3a17bfc994bc47545c22077ba4

        SHA512

        ee72db409e7def38b2a849f42ebf089bf16a10bfa33ba19ad1ad9281cc628d15925a157641fdd470b928d35fc6acfd1debaeaa2d965fa752cc94809972624429

        Download Submit

      • C:\Windows\helloserv.exe
        Filesize

        116KB

        MD5

        0480e4cfa319fada861bad6fdcae6475

        SHA1

        0f7d5ab1f91894d04acfedb15ba387e9ed34da08

        SHA256

        98ba0eace481b0462e7e306f87b151a9445f6e71f676a97a9bdab77d643bc1fd

        SHA512

        7056d7945a7e606a9df1220b9720ee9e5484f18c26be364d64c76398979625862471447d7ecd4256c948b7f9e3298e14b28290f6e8fcbbb5817691276c7829c6

        Download Submit

      • C:\Windows\helloserv.exe
        Filesize

        82KB

        MD5

        3806ce06001abb50c64c6b989667ec1b

        SHA1

        17ef7dafa152088327c14ab9023e3db7565ee7f1

        SHA256

        5e036dcdd8f11d3bb0380f4f54e90396b449b9ba55cbf4cdf4e83228028d7821

        SHA512

        56ac70a8a4d25ea2df00bfd20f96cb4e618f5c74ed06b984365f487843b2bd173c0cad7d59aa23e92c8a1961a4fbfa4847fb22a2bd180d09d50fa066c313e20f

        Download Submit

      • memory/1664-1002-0x0000000000420000-0x0000000000451000-memory.dmp

        Filesize

        196KB

        Download