Overview

overview

7

Static

static

3

4890ac55f0...55.exe

windows7-x64

7

4890ac55f0...55.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 01:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4890ac55f0ec5b68a45ad880c9a39e55.exe

  • Size

    194KB

  • MD5

    4890ac55f0ec5b68a45ad880c9a39e55

  • SHA1

    e1b4ee831075ba1b0dba1507dec340e2929f7da6

  • SHA256

    0879e3a09538aaa80f1ce9f0a9f8627f21a0886f94f7759a17bba410948cfb08

  • SHA512

    c2b1b239c83fed099f3516eaa8019bb03c05743a2a0aa4aba80844e15f3387a2f44e21a8e7776c4554ad79f82d75672ad93850833c4e427acfc7139d4b12cf21

  • SSDEEP

    6144:yaaQdGnSlSD9CQNOuhUL7hJxlX1eK47Y:3FSDsn+UnhJxlt

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Unexpected DNS network traffic destination 10 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    PID:2640
    • C:\Users\Admin\AppData\Local\Temp\4890ac55f0ec5b68a45ad880c9a39e55.exe
      "C:\Users\Admin\AppData\Local\Temp\4890ac55f0ec5b68a45ad880c9a39e55.exe"
      2⤵
      • Registers COM server for autorun
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3264
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Deletes itself
        PID:3504

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3803511929-1339359695-2191195476-1000\$4732b980f267194ec6fce0414fbbade7\n
          Filesize

          25KB

          MD5

          9e0cd37b6d0809cf7d5fa5b521538d0d

          SHA1

          411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

          SHA256

          55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

          SHA512

          b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

          Download Submit

        • memory/2640-3-0x00000000031D0000-0x00000000031D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2640-10-0x00000000031D0000-0x00000000031D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2640-11-0x00000000031D0000-0x00000000031D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3264-1-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/3264-2-0x0000000000450000-0x0000000000550000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/3264-9-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download