Overview

overview

6

Static

static

3

452307baa9...53.exe

windows7-x64

6

452307baa9...53.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    122s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 00:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    452307baa936693407ac9b8162f0d653.exe

  • Size

    24KB

  • MD5

    452307baa936693407ac9b8162f0d653

  • SHA1

    b895feab1ba33b678fedad757f9f29ea68a44cd6

  • SHA256

    99ee102c59255bf574919f34e14e8a45a155d1e0f7f26b7aeb7df9bbaaf6ccf4

  • SHA512

    3658f90c89c4c0ebce98b3de579c410abeeb85133baee14473c492761cd25c5ef69a5d3728126029cdcb08236f090833f4a8293fe6cdd9bfdcbf4ec934011a8d

  • SSDEEP

    384:E3eVES+/xwGkRKJklM61qmTTMVF9/q5G0:bGS+ZfbJkO8qYoAv

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\452307baa936693407ac9b8162f0d653.exe
    "C:\Users\Admin\AppData\Local\Temp\452307baa936693407ac9b8162f0d653.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c set
        3⤵
          PID:2440
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /all
          3⤵
          • Gathers network information
          PID:2708
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2704
        • C:\Windows\SysWOW64\net.exe
          net start
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1312
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start
            4⤵
              PID:2680
          • C:\Windows\SysWOW64\NETSTAT.EXE
            netstat -an
            3⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:2900

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \??\c:\windows\temp\flash.log
        Filesize

        8KB

        MD5

        81fd74376bfe1dfb29b47796237a1a59

        SHA1

        bb0d26a84b3c88bf7cdd0eaa96bca7a0cec16d9d

        SHA256

        80b162ec8a6c129969d725515e5d63c86c24b6a21ace8ef4e2fa983bb84c12ff

        SHA512

        1f3cf35df82607f1bdcbd6bea43b8114bc1f3d5bada51f57dc67dafe0c70656e67eded1ca6415d0fe5028a283f38b91d074d7697f0c06cee38ee321f8082fa7f

        Download Submit