Overview

overview

10

Static

static

3

6c93af68d8...42.exe

windows7-x64

10

6c93af68d8...42.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    64s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 11:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c93af68d88185109cdd8c5bdb310542.exe

  • Size

    347KB

  • MD5

    6c93af68d88185109cdd8c5bdb310542

  • SHA1

    0165c396f06c31c9e7ca892c9528d1df567271ab

  • SHA256

    9898795c01aa24bccb59f559fe54d289c2b1eb4cf7278c7d0bda05c4084d5e59

  • SHA512

    b01f99465fc49218c4da7fa2b64e3f798d00f2c5a78740c0ef362284efc91a83d54432ce536996c4d29f25a802828ef563d25e62ffb7e7b04753f01947d7643d

  • SSDEEP

    6144:hQp8ix91HA11SHeF4qjjo+5fUs+0KrQgEbJHSYBpE82v+JC+8F:cr1HAQ+F4qPbfL+0qpEbAKc+Jz8F

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:336
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1292
    • C:\Users\Admin\AppData\Local\Temp\6c93af68d88185109cdd8c5bdb310542.exe
      "C:\Users\Admin\AppData\Local\Temp\6c93af68d88185109cdd8c5bdb310542.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Users\Admin\AppData\Local\b868f3ec\X
        176.53.17.23:80
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2976
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Deletes itself
        PID:2884
  • C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    1⤵
      PID:2720
    • C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      1⤵
        PID:2560

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\b868f3ec\@
        Filesize

        2KB

        MD5

        106d07837aeb77fe119e585f19397eca

        SHA1

        e5b4728ed55d4fb8f392e07b54ffd9e400efd4f0

        SHA256

        fdf9ff93b29948b09b2f88ead00a92db7b41f934fd2101fc1e79cf10e01610f0

        SHA512

        f72c17ac94d4fbc3ebc39cd6255b3533437483f30a8bf62bccbb75f7bf4a1de7b590196ef20e2f473bc56addd65b616db560fff61c73cb23401849ef083e3870

        Download Submit

      • \Users\Admin\AppData\Local\b868f3ec\X
        Filesize

        41KB

        MD5

        686b479b0ee164cf1744a8be359ebb7d

        SHA1

        8615e8f967276a85110b198d575982a958581a07

        SHA256

        fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b

        SHA512

        7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

        Download Submit

      • \Windows\System32\consrv.dll
        Filesize

        29KB

        MD5

        2585231190620fb4557aacf4515f83e1

        SHA1

        8277ce556c7de0eacc724b94d04855a51a9292e1

        SHA256

        346abe431b22efc5b6134991139106a9a08abc947eb0c9026277d120c1101b64

        SHA512

        921e330f8b2a4c5bba84b43c255132c849a4b7641228f9c998a18acb7743942cd9763a056fe18bfa56e72e03de8124c35504e57d4c7ab18a6928aa07515c93ef

        Download Submit

      • \systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
        Filesize

        2KB

        MD5

        7d70dce66ab6a274e483742be2963132

        SHA1

        6700bedc37a21ec637039bf5a87ad04bf9588998

        SHA256

        25ef6eac889ff0a9b67cd4400d83c0b85625a92573b14d7c4dc6a5741abc16f6

        SHA512

        e3b0e7a47b67cb20b61f527dad5a6ad3afa42987db134f55f29ce3eafbdd6ed577343680715934f7ca783dd4578f74a215e8b82ff36f08a96492658a20b54665

        Download Submit

      • memory/336-29-0x0000000000830000-0x000000000083C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/336-27-0x0000000000820000-0x0000000000821000-memory.dmp

        Filesize

        4KB

        Download

      • memory/336-30-0x0000000000830000-0x000000000083C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1292-53-0x0000000002140000-0x000000000214B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1292-20-0x0000000002140000-0x0000000002146000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1292-16-0x0000000002140000-0x0000000002146000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1292-12-0x0000000002140000-0x0000000002146000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1292-60-0x0000000002160000-0x000000000216B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1292-23-0x0000000002130000-0x0000000002132000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1292-54-0x0000000002160000-0x000000000216B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1292-48-0x0000000002140000-0x000000000214B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1292-49-0x0000000002120000-0x0000000002128000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1292-44-0x0000000002140000-0x000000000214B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1968-9-0x0000000000470000-0x00000000004A2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1968-1-0x0000000000400000-0x00000000004631B4-memory.dmp

        Filesize

        396KB

        Download

      • memory/1968-35-0x0000000000400000-0x00000000004631B4-memory.dmp

        Filesize

        396KB

        Download

      • memory/1968-33-0x0000000000470000-0x00000000004A2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1968-32-0x0000000000530000-0x0000000000630000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1968-31-0x0000000000400000-0x00000000004631B4-memory.dmp

        Filesize

        396KB

        Download

      • memory/1968-3-0x0000000000470000-0x00000000004A2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1968-34-0x0000000001E90000-0x0000000001F90000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1968-21-0x0000000000470000-0x00000000004A2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1968-6-0x0000000000470000-0x00000000004A2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1968-56-0x0000000000400000-0x00000000004631B4-memory.dmp

        Filesize

        396KB

        Download

      • memory/1968-58-0x0000000000400000-0x00000000004631B4-memory.dmp

        Filesize

        396KB

        Download

      • memory/1968-59-0x0000000000470000-0x00000000004A2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1968-22-0x0000000001E90000-0x0000000001F90000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1968-2-0x0000000000530000-0x0000000000630000-memory.dmp

        Filesize

        1024KB

        Download