Overview

overview

7

Static

static

3

0848d78117...11.exe

windows7-x64

7

0848d78117...11.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    250s
  • max time network
    290s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 00:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0848d781177b1c49580c7633dfa6fa11.exe

  • Size

    179KB

  • MD5

    0848d781177b1c49580c7633dfa6fa11

  • SHA1

    55201626b8610e660ea181dabd583e4d63a3ba6b

  • SHA256

    275c8305aa35959d00b7989c4af2e0ef1c81f63a56db6d640e6e9635cbb5f9c2

  • SHA512

    65de7941081ed0ce0e4e231eb38c7bab87f123d9fc1a7440fc48f59a25c1dd0afdcb7968983eca6d0ffa3843a0774bf56c7faf730570b488e05b6e8795687471

  • SSDEEP

    3072:A6WQ079Fqa2Xk91/oyUpVHYSZSl5Vnm8XMPb3Zz2l3eZEECkJS7K6UTT/RV4y9sh:nW598rkbapRBi55m/1W3VJk1Cy

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0848d781177b1c49580c7633dfa6fa11.exe
    "C:\Users\Admin\AppData\Local\Temp\0848d781177b1c49580c7633dfa6fa11.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\explorer.exe
      000000A4*
      2⤵
      • Deletes itself
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2392
  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Suspicious use of UnmapMainImage
    PID:336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system32\consrv.DLL
    Filesize

    25KB

    MD5

    4e5b6059818c23af2f2b634dee1b31d2

    SHA1

    021c1583bb8235ef8b5e91520c10a2b79579e15d

    SHA256

    788ceb1e6585f231de17cdcc5d195e150708213d14e300b6e1526e7668c4a3db

    SHA512

    386dd06a3589fd39d785e11fbbcaa1e23fb3e763d6142a87de080c8b49bf5d017673b141e0ffc9a50d35a165753a59c452cbabd15978df0866f84dec0c31d43d

    Download Submit

  • \Windows\System32\consrv.dll
    Filesize

    31KB

    MD5

    adf1ddd89d424e8d0e275cc42747ec81

    SHA1

    321105503846b4a5f8fd3ccd6d92253c39b3e1ce

    SHA256

    5611fddc5046fce5bbd4d1c1779df429a217b1f952ec973059f7c67e4dfdd46f

    SHA512

    3afb78bc1e49c224726ae824a4d36923bc9fedbdbc027576427932d900bbb17a3b536f1b384bc52bd1a1892ff23c5a2453065530fbdc0023392a0d17e7cbc184

    Download Submit

  • \systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
    Filesize

    2KB

    MD5

    8fa48c24be921fff265f462d776511ad

    SHA1

    360a33c43b113e33153271a58f2c6cdf3775b2f8

    SHA256

    470b4e5c704ff22e67ee1b866cfd8ccc28554a5fbdd08b15f052a56906e95137

    SHA512

    baf0ecbfaa82f51eabffc0aafac57b97924637a6e99702b19de7ea85077119ce2913b7f2c4baf90a3968b7961facc1dc885042a40f44811b7c8ffbbdc3ab174d

    Download Submit

  • memory/336-21-0x0000000002140000-0x000000000214C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/336-20-0x0000000002140000-0x000000000214C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2392-4-0x0000000000170000-0x0000000000184000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2392-10-0x0000000000170000-0x0000000000184000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2392-15-0x0000000000170000-0x0000000000184000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2392-5-0x0000000000060000-0x0000000000072000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2648-1-0x00000000002A0000-0x00000000002CE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2648-3-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2648-0-0x00000000002A0000-0x00000000002CE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2648-2-0x0000000002E70000-0x0000000002EE4000-memory.dmp

    Filesize

    464KB

    Download