Overview

overview

10

Static

static

3

01e9007019...fa.exe

windows7-x64

10

01e9007019...fa.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    159s
  • max time network
    175s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2023, 19:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01e9007019c3b07fa881e53f9c400dfa.exe

  • Size

    30KB

  • MD5

    01e9007019c3b07fa881e53f9c400dfa

  • SHA1

    22d0438ba1fd0bc2af49f923ab5972be5e91db2d

  • SHA256

    3c752ab3f1fba9dab9745d1e687b87a2c20471ac92c3e5644ec9522b77bf9c06

  • SHA512

    532335c717224ac0dece26470189b9e6f58cea507c59060cb6358a0ac710d3381a3e8c18e63484fc06fbb29a2afa15d2f5ad0a376b5898a2bf442923b552cfca

  • SSDEEP

    768:dzqdJWNqbx2dNanQmQqcyocxKWnbcuyD7UGNWGl:dMt2vanzxpHnouy8KP

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\01e9007019c3b07fa881e53f9c400dfa.exe
    "C:\Users\Admin\AppData\Local\Temp\01e9007019c3b07fa881e53f9c400dfa.exe"
    1⤵
    • UAC bypass
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\259450707.DLL
    Filesize

    12.1MB

    MD5

    7ef4a647078bd96818c2a264bc66d4a8

    SHA1

    60b041907cd60486637fe717cbbd00844f562426

    SHA256

    f78daa9465612a2bea2de3cc009544f3e3a50dbdf35ccbac176005e85aef8299

    SHA512

    961dd4cda512438212d89c2ce83f15f88a316d5cd45a2e0219aacfb330710f11061bcc7497734bc8b906267ab9c5dbad747e47383f1ba81210acee09d0bae00c

    Download Submit

  • memory/2764-0-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2764-5-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download