Overview

overview

10

Static

static

3

1743425a04...89.exe

windows7-x64

10

1743425a04...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 10:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1743425a049c54fd167710d3086d2d89.exe

  • Size

    27KB

  • MD5

    1743425a049c54fd167710d3086d2d89

  • SHA1

    6c048666dda20a16e173242ccee872669d063c31

  • SHA256

    9d798ac5ca5db0dea0d4dfca69afa019009ad2e54fc2fb9a753074cb4cccb9a3

  • SHA512

    451539922aca40e1b0eb8a943ed9ed608a7748fb1a0948ecbb2231952686e352dd6df2d841de181e5e564d689a65f61eb5c675f84a8e9ca927f281ce70d6eabd

  • SSDEEP

    384:6bAMu9pFT5SlKyx5R4oEI3bedaBAWoWwyPydhQAi1WUhKZAgDdjY6cOvK6:6bxuRTolKyxrx8a2NpoMFUWUheR3w6

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in System32 directory 9 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 14 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1743425a049c54fd167710d3086d2d89.exe
    "C:\Users\Admin\AppData\Local\Temp\1743425a049c54fd167710d3086d2d89.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Modifies Internet Explorer Phishing Filter
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4960
    • C:\Windows\SysWOW64\smss32.exe
      C:\Windows\system32\smss32.exe
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Modifies Internet Explorer Phishing Filter
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2488
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 /s C:\Windows\system32\helpers32.dll
        3⤵
          PID:2060

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\smss32.exe
      Filesize

      27KB

      MD5

      1743425a049c54fd167710d3086d2d89

      SHA1

      6c048666dda20a16e173242ccee872669d063c31

      SHA256

      9d798ac5ca5db0dea0d4dfca69afa019009ad2e54fc2fb9a753074cb4cccb9a3

      SHA512

      451539922aca40e1b0eb8a943ed9ed608a7748fb1a0948ecbb2231952686e352dd6df2d841de181e5e564d689a65f61eb5c675f84a8e9ca927f281ce70d6eabd

      Download Submit