Overview

overview

6

Static

static

3

4ca1d55fc6...2e.exe

windows7-x64

6

4ca1d55fc6...2e.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    240s
  • max time network
    274s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 02:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ca1d55fc6c8f36d8e435cf9743b1b2e.exe

  • Size

    24KB

  • MD5

    4ca1d55fc6c8f36d8e435cf9743b1b2e

  • SHA1

    16cb028e0d876d0654b7cec76948b6220b76e583

  • SHA256

    81a0fbf5bb98f65c5c7c8140113b555bf3712477163cad9146f2f585cf458cbd

  • SHA512

    d9b7178a882f4e1e7587314b8a59c98aeec28e56b1c31907288faaf0d83676a5be5429cdaf52930410fd9762b34896f686ff7d5b87e8d2d80e97ae2cb7d63521

  • SSDEEP

    384:E3eVES+/xwGkRKJtCxlM61qmTTMVF9/q5K0:bGS+ZfbJ4xO8qYoA7

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ca1d55fc6c8f36d8e435cf9743b1b2e.exe
    "C:\Users\Admin\AppData\Local\Temp\4ca1d55fc6c8f36d8e435cf9743b1b2e.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c set
        3⤵
          PID:2908
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /all
          3⤵
          • Gathers network information
          PID:1988
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2016
        • C:\Windows\SysWOW64\NETSTAT.EXE
          netstat -an
          3⤵
          • Gathers network information
          • Suspicious use of AdjustPrivilegeToken
          PID:1612
        • C:\Windows\SysWOW64\net.exe
          net start
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1660
    • C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start
      1⤵
        PID:1556

      Network

      • flag-us
        DNS
        www.kvic.jp
        4ca1d55fc6c8f36d8e435cf9743b1b2e.exe
        Remote address:
        8.8.8.8:53
        Request
        www.kvic.jp
        IN A
        Response
      No results found
      • 8.8.8.8:53
        www.kvic.jp
        dns
        4ca1d55fc6c8f36d8e435cf9743b1b2e.exe
        57 B
         107 B
         1
        1

        DNS Request

        www.kvic.jp

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \??\c:\windows\temp\flash.log
        Filesize

        8KB

        MD5

        01e06d05e9eb3295d4da110f666b6b85

        SHA1

        d3122cc6d1196dcfd78b3e7a0c11fa707789590c

        SHA256

        0ef5e03a86df1b029e61c0af50b644236d7e5c1b06263ad0b59a5c9544d4ccc1

        SHA512

        c7798cd00dd5c7871d37148f6f50a0ac5478e352ef6127afb4b7bd90016e9e868fe875e5c369237a5896c2d9421239c8e93e8a4f01695b67ededf6be7f062aeb

        Download Submit

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.