Overview

overview

10

Static

static

3

4e264da599...21.exe

windows7-x64

10

4e264da599...21.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    143s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 02:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e264da599ac8dc9c4f169f7fb5e2121.exe

  • Size

    393KB

  • MD5

    4e264da599ac8dc9c4f169f7fb5e2121

  • SHA1

    31d49d73d13f761fa99ed2f8200bd3c7120c4b07

  • SHA256

    42e99728dad6f383bd8c82776d7437064b54aacd4de5e43d44fda28e757e6fb0

  • SHA512

    acfc55a7fb8cead33f6bb2875341e0146cfea5092545dd49fb325c1cbeea7186dfda9a94ef1c2a4da78430d533707c5b96f4849eda06c8bf2615683d550a0fe1

  • SSDEEP

    6144:9VUeNULfjGQXr8sQwJ8RdCCKoryzWz0cSxhIC/aulYcJeNsrFS/Zt3Zu7Ea6zvN4:vvULyjQorymC/aWYuosit3ZaEa6zV0T

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 10 IoCs
    evasiontrojan
  • Disables taskbar notifications via registry modification
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\ProgramData\043A6A5B00014973000A239CB4EB2331\043A6A5B00014973000A239CB4EB2331.exe
    "C:\ProgramData\043A6A5B00014973000A239CB4EB2331\043A6A5B00014973000A239CB4EB2331.exe" "C:\Users\Admin\AppData\Local\Temp\4e264da599ac8dc9c4f169f7fb5e2121.exe"
    1⤵
    • Windows security bypass
    • Deletes itself
    • Executes dropped EXE
    • Windows security modification
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:860
  • C:\Users\Admin\AppData\Local\Temp\4e264da599ac8dc9c4f169f7fb5e2121.exe
    "C:\Users\Admin\AppData\Local\Temp\4e264da599ac8dc9c4f169f7fb5e2121.exe"
    1⤵
    • Windows security bypass
    • Loads dropped DLL
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\043A6A5B00014973000A239CB4EB2331\043A6A5B00014973000A239CB4EB2331.exe
    Filesize

    92KB

    MD5

    5bfe1639ef61e9a89e1acab580dcfbb1

    SHA1

    942d25191882350c0cd894af2894d1360caabfd1

    SHA256

    9ff4193601e912f2855e8e61073bf049c937980441b3f8f9f8a6a6f75b3558c2

    SHA512

    b57520c5cb8458aebdbabd37dca326fb8a317a401e0902194dbc91a28d849739bf21a66be0a078770924258400cb4d8a601f8700ec03576693a7baab8e0df155

    Download Submit

  • \ProgramData\043A6A5B00014973000A239CB4EB2331\043A6A5B00014973000A239CB4EB2331.exe
    Filesize

    348KB

    MD5

    f126ce588086e2573686252dc1db242a

    SHA1

    18ba530bbbaec649658e8245a12d19e31d0591c2

    SHA256

    f8a2dbbb6d78e1a3d4a5e2446c32da3a8832173417b031170bb8f4411357aba5

    SHA512

    b3b04dfb3928975c2694b6bd00d5a3a00004d7ff5243fb0bc788f8faa69cd74e23141ad2382cbbe977907eada586f165e95e66384ecd940e7e3a91f09bf7443e

    Download Submit

  • \ProgramData\043A6A5B00014973000A239CB4EB2331\043A6A5B00014973000A239CB4EB2331.exe
    Filesize

    65KB

    MD5

    13e22ac9a8534a56401cbfef06b9be24

    SHA1

    306a59adbe4a4cea92dbd9072f6d77de6f59a0ad

    SHA256

    f221f68cdf2237b35a5db0657e5cb2cfb39f497cd6220c2555bebb9cab95451f

    SHA512

    ee76060e50fa2826c61ded36bc314dcc27263b47648c77e432815b02fd9d5e6407f09a7910221c034fe6db4b413455e8b392b87f5a651147acd119b4bb2a83de

    Download Submit

  • memory/292-4-0x0000000000410000-0x00000000004D8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/292-5-0x0000000000410000-0x00000000004D8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/292-35-0x0000000000410000-0x00000000004D8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/292-27-0x0000000000410000-0x00000000004D8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/292-0-0x0000000000410000-0x00000000004D8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/292-1-0x00000000020B0000-0x00000000020B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/292-2-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/292-7-0x00000000002B0000-0x00000000002B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/292-6-0x0000000000410000-0x00000000004D8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/860-23-0x00000000002B0000-0x00000000002B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/860-22-0x0000000000410000-0x00000000004D8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/860-21-0x0000000000410000-0x00000000004D8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/860-28-0x0000000000410000-0x00000000004D8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/860-19-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/860-17-0x0000000000410000-0x00000000004D8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/860-38-0x0000000000410000-0x00000000004D8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/860-39-0x0000000000410000-0x00000000004D8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/860-44-0x0000000000410000-0x00000000004D8000-memory.dmp

    Filesize

    800KB

    Download