Overview

overview

8

Static

static

3

063743a6d8...77.exe

windows7-x64

8

063743a6d8...77.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    136s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2023, 22:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    063743a6d8d12190655cd540f3398f77.exe

  • Size

    19KB

  • MD5

    063743a6d8d12190655cd540f3398f77

  • SHA1

    d0d6788c7c28a506eaa1e7ee10d0ebed2581ad66

  • SHA256

    22f991ec2be75fba8cf205b12ae5b4f74062f77653967b802217364ffbdd9f80

  • SHA512

    40acb9160b8e7b7d43d748eef51fd60063380e2d6685806d9d9a95368e402cf51e3c837ed05c22104bec1cf2f8cda808d460488f872d770575a631e50763f982

  • SSDEEP

    384:bJHScW4Y+qjjbokcjGDtq+eBZ2AJKxhkaFOmm7EZDT4j6/TSzqQl:EcW4YP8lGDtq+eB0jFO5xjkTsd

Score
8/10
persistence

Malware Config

Signatures

  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\063743a6d8d12190655cd540f3398f77.exe
    "C:\Users\Admin\AppData\Local\Temp\063743a6d8d12190655cd540f3398f77.exe"
    1⤵
    • Sets file execution options in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\SysWOW64\RESSDT.exe
      C:\Windows\system32\RESSDT.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 180
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2380
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net stop wscsvc&net stop sharedaccess&sc config sharedaccess start= disabled&sc config wscsvc start= disabled &net stop KPfwSvc&net stop KWatchsvc&net stop McShield&net stop "Norton AntiVirus Server"&cacls "C:\Program Files\Tencent\QQ\QQDoctor" /d everyone
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\net.exe
        net stop wscsvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2936
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop wscsvc
          4⤵
            PID:2696
        • C:\Windows\SysWOW64\net.exe
          net stop sharedaccess
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2060
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop sharedaccess
            4⤵
              PID:2608
          • C:\Windows\SysWOW64\sc.exe
            sc config sharedaccess start= disabled
            3⤵
            • Launches sc.exe
            PID:3024
          • C:\Windows\SysWOW64\sc.exe
            sc config wscsvc start= disabled
            3⤵
            • Launches sc.exe
            PID:2824
          • C:\Windows\SysWOW64\net.exe
            net stop KPfwSvc
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2272
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop KPfwSvc
              4⤵
                PID:2752
            • C:\Windows\SysWOW64\net.exe
              net stop KWatchsvc
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2748
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop KWatchsvc
                4⤵
                  PID:2624
              • C:\Windows\SysWOW64\net.exe
                net stop McShield
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2848
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop McShield
                  4⤵
                    PID:2580
                • C:\Windows\SysWOW64\net.exe
                  net stop "Norton AntiVirus Server"
                  3⤵
                    PID:2576
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "Norton AntiVirus Server"
                      4⤵
                        PID:2596
                    • C:\Windows\SysWOW64\cacls.exe
                      cacls "C:\Program Files\Tencent\QQ\QQDoctor" /d everyone
                      3⤵
                        PID:2612
                    • C:\Windows\SysWOW64\sysave.exe
                      C:\Windows\system32\sysave.exe
                      2⤵
                      • Executes dropped EXE
                      PID:2136
                      • C:\program files\Internet Explorer\IEXPLORE.EXE
                        "C:\program files\Internet Explorer\IEXPLORE.EXE"
                        3⤵
                        • Modifies Internet Explorer settings
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SetWindowsHookEx
                        PID:1716
                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1716 CREDAT:275457 /prefetch:2
                          4⤵
                          • Modifies Internet Explorer settings
                          • Suspicious use of SetWindowsHookEx
                          PID:1952
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c echo ping 127.1 -n 4 >nul 2>nul >"C:\Program Files\sys.bat" & echo del "C:\Users\Admin\AppData\Local\Temp\063743a6d8d12190655cd540f3398f77.exe" >>"C:\Program Files\sys.bat" & echo del "C:\Program Files\sys.bat">>"C:\Program Files\sys.bat" & "C:\Program Files\sys.bat"
                      2⤵
                      • Deletes itself
                      • Drops file in Program Files directory
                      PID:312
                      • C:\Windows\SysWOW64\PING.EXE
                        ping 127.1 -n 4
                        3⤵
                        • Runs ping.exe
                        PID:1564

                  Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Program Files\sys.bat
                          Filesize

                          132B

                          MD5

                          1d938d845ba0c242afcd3782e634aef5

                          SHA1

                          185f0e0543abbd99d76792b4d79dfd1e4c9a633e

                          SHA256

                          dd74845655e6ed50c41ae26d635877f54be123e8d42bb8544817a00c852c4bf8

                          SHA512

                          9d40d09a169b5355bf321b78607a5afde948af6d3da9dc03d50719a5405fe1349c8f3b0bdc6cf6a2ccd81ff56817a74fceb496406f42bd24bd47bf4b4eadd619

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                          Filesize

                          344B

                          MD5

                          8a4f06f70d7397040247b43775a60e98

                          SHA1

                          84684f1696417237e6e9da166ca007a987222366

                          SHA256

                          06ec32e36dcd08ae22f2df6267c0533f63256f3b95f4a15f99c0f696f2b99f33

                          SHA512

                          23435a20b8a606b12c6e65dfd50d21406bfac71be4372bfdb2dc42e1bdf1ae75824e42a695f944db68f83c6cf77cf72725ea2e8d3473a116dbc0580b4473098e

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                          Filesize

                          344B

                          MD5

                          751ad75ea9dc03f20165a26b6bfa9794

                          SHA1

                          f98ca8127f661b3b4090daa4c956ade2b0f96338

                          SHA256

                          140bb2ab6ab3f88f5f2c1e8a1c963b58669d780f85095234327e9466e4eee3f2

                          SHA512

                          ca75a84bd7f0f7a18c09bbd9b584af44c28b3d0947ab0fcbe7bb150f40bf2fd0efa1ce15ecfd1c118f9d28cc300bc9aeeb056276a685da7f7f153cce95c73d1e

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                          Filesize

                          344B

                          MD5

                          95b2638a90950f5682a11196fafeb16a

                          SHA1

                          1b7682f03fcf09207b8198c5a72037ce1ba122a1

                          SHA256

                          6f7f0ef74506f8713a8f4a6220def3c406cdedd1c16656b0ff88048c3b90895c

                          SHA512

                          8346464993bff18f7de8d6c877022b49d1ba8e689e1800246311c14c4db7ee770888be2e6a2e287c38488a4b71061af036cce1268e19fcb9ae130c2d95c21522

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                          Filesize

                          344B

                          MD5

                          b5f5412e07b0044f38ce1525228e5c35

                          SHA1

                          2941d96b53b37c6262cb6b5d36b3053846e63b27

                          SHA256

                          6165b5d34b3e712e6a8b3761ad27910f6cf0fd295b04d74b1db0cc12ea073853

                          SHA512

                          06e846c32237452f4180b090271d03b8f5119c895280bd9dd4ff4dbe970928aa29884f1c64a826a06757afa722a1bfcafd0d07a688f6269a02550517af19632b

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                          Filesize

                          344B

                          MD5

                          bbf4819b0013e2c2da893211f6e0a34b

                          SHA1

                          2753161d25bb7e0723c0bc6edd8478cabbb074d6

                          SHA256

                          da4c9f50877a9d2aedc787446c9450fc7879203f464b29bdbfe551e0d4c66c2c

                          SHA512

                          68ac593ed3cc6bc041546452f365f62f048ef04f56354c0279c1c885ea5f0356b3af3f869e7d142673789c712a2e330c75560d22ee2bae2640d1f52af82125ca

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                          Filesize

                          344B

                          MD5

                          153200d3444eb3826c5553b565ce3ac6

                          SHA1

                          9b16c79c86076ae83e4beefdd91a5cbfe8b75cc3

                          SHA256

                          c48f0cd7bae97dce636ccd0a5f36694dd21e39f58e7894053eca337154c45125

                          SHA512

                          572badd4eef39c139fd19752fffe83d59f20972a1b65c0eff8941c655f28cec754e2860f171f2e82a0a1cd9f2ec3242ca5bca70cec0992fed37f020b4352b91d

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                          Filesize

                          344B

                          MD5

                          d49d231c3fc299a832eed611c231d168

                          SHA1

                          2bb221291fa784a4c26cbf7a1c5cea392fcef4de

                          SHA256

                          bdddf9616d519334a0039c44eb071b5e9d063e7ce5b6f3343b228b1e273a34b9

                          SHA512

                          cefb66e0a1d82cc827b2026dcc2a3871b0b4715e6f1477724ed48faac895861d9638a2379bae00589171d98b1764e19a291e46cb8f980a7de8d94d1b9b4effb8

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                          Filesize

                          344B

                          MD5

                          ffd1d295166bc2da0b23e52d511f7645

                          SHA1

                          21787ed06f0a7fb1bff738b01e17ffb9a7294610

                          SHA256

                          e63c5d782af76ad3921c5a7ab2a15ff8abc404522214c08c05b46da6907d9736

                          SHA512

                          657018a0c00d751fa6d15b61d3c60f7995af3089ecbae59f8604d319c35d45666b00729f30d0ee8261fb137009d8dcc8eab46b3a077f629d8f3802fca8d57fb4

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                          Filesize

                          344B

                          MD5

                          b563938a79c6d971a42b7e56c51bb5fd

                          SHA1

                          870439027a2b2097e05d525ce31bcb551085e51d

                          SHA256

                          6c9a75203e273f91ab69bd8c8a91c845970c8819ba086d580ec9d3350a410d59

                          SHA512

                          b6656d1512cec7029ea9af6e3b2b45fcad6408a60c8f89915e6b526da726ccd0e26ad72d35b2bbb60b635415b3fef234221dafce305030914fa63ea8fca588ad

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                          Filesize

                          344B

                          MD5

                          6aee5250fea4ab2500301d1d6a71a2ee

                          SHA1

                          c1a99cd89162cef79da0073c3692e46adde55c91

                          SHA256

                          474fca5bb51e84a9c2ea0c6cec78dcbd71b31caa53d0d23082f109b9817df6df

                          SHA512

                          ec0d1354b13ce9fa87df01f522c8348619bfb544bfa04cb92e4b2a5272f78a7977bf75307cdf866e662201b22afadc02c33343be00e3b9486cb65a3b3019aae4

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                          Filesize

                          344B

                          MD5

                          956446bb30b836ce5d48e7bff724011b

                          SHA1

                          da885f07e0833310cd8312e03f778ef6d74bd3f2

                          SHA256

                          1a06526b6935c455acebe01a7b139dd3acc036dc09f9ca1aedf26b7b0f3a360f

                          SHA512

                          ecebd6da811dabe83ccc23e44a3d750a627881c8632d373ea336ff517c1b545a95bbe6f3cd7c4d72ba25b91132d3d797fa5b003736f16769550372cc3e1d16e5

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                          Filesize

                          344B

                          MD5

                          65cbdd6a93471022ea112938ddbfc3b9

                          SHA1

                          4c8134053d46028d44345cd252f911ab074ffdb8

                          SHA256

                          7ed238c01785df84edbb1f07237fd02f228f0e3fd42249d5f8ceff7bbf412a99

                          SHA512

                          9a8ad4a4f217f262bcbbe5a7461a6b43137130f19d1bec68ae7e71c84973199d6b16ff93cab409781e0b506f4a5406de00209c2d05a4fb70218aeeead0901b18

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\Cab145D.tmp
                          Filesize

                          65KB

                          MD5

                          ac05d27423a85adc1622c714f2cb6184

                          SHA1

                          b0fe2b1abddb97837ea0195be70ab2ff14d43198

                          SHA256

                          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                          SHA512

                          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\Tar20D0.tmp
                          Filesize

                          171KB

                          MD5

                          9c0c641c06238516f27941aa1166d427

                          SHA1

                          64cd549fb8cf014fcd9312aa7a5b023847b6c977

                          SHA256

                          4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                          SHA512

                          936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

                          Download Submit

                        • C:\Windows\SysWOW64\RESSDT.exe
                          Filesize

                          1KB

                          MD5

                          444428055b5655a1420d0cd4a6e7011d

                          SHA1

                          6649fefd682c926710f83ac5b3d3e23aa75fa461

                          SHA256

                          5ae5a5334e200368a8c3a7d2134a17680580c9eec2f6df929b283d776614303c

                          SHA512

                          9326d9d02ee52f5424426037151170d1729460c9ecf53336e622dcd25d43e012a247ed4d297db84cc6649778c4ddc6de6c5f15f0245b0cb604d2255f1c960bbb

                          Download Submit

                        • \Windows\SysWOW64\RESSDT.exe
                          Filesize

                          32KB

                          MD5

                          a58964859b457abcd98db06e02f60575

                          SHA1

                          14f960cddac44ba17335d0562b7723a1f9d5e433

                          SHA256

                          0ab0e80b24ef980f452fa9ac7586243f424b4ad00f6870330aacbaf068a36c7e

                          SHA512

                          5ad1a9afe9dd10a25862a410dd886ba41b60ee044db1737bdcc2cf7ccc3a07e9887867fc5b53d97a262b63f867b814ee1cc92b2c887618178c45e258540d5503

                          Download Submit

                        • \Windows\SysWOW64\sysave.exe
                          Filesize

                          16KB

                          MD5

                          629047f12782062173895211cd3361ee

                          SHA1

                          569d8903032e5a75fa22529ac45965f802b120dc

                          SHA256

                          01947e4b2543a83524c52432ce3aa0942cc59a3ec176833c0980a675a5b6ffee

                          SHA512

                          fea26cd96424d889b66eb1db2f78575cfe21adc02f4049317d70c3763e39aa038fdd5836bf9da00c685449999b3a9a16b9ac41322722b7e2647c78f2619f904f

                          Download Submit

                        • memory/2932-13-0x0000000000400000-0x000000000041C000-memory.dmp

                          Filesize

                          112KB

                          Download

                        • memory/2932-33-0x0000000000400000-0x000000000041C000-memory.dmp

                          Filesize

                          112KB

                          Download

                        • memory/3004-14-0x0000000013150000-0x0000000013158200-memory.dmp

                          Filesize

                          32KB

                          Download