Overview

overview

6

Static

static

3

0a28fea08d...03.exe

windows7-x64

6

0a28fea08d...03.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    173s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 01:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0a28fea08d5aa82b03da4565c0d55603.exe

  • Size

    24KB

  • MD5

    0a28fea08d5aa82b03da4565c0d55603

  • SHA1

    8aa282cdf67366849a1ec1d9dd5354d36a299307

  • SHA256

    979b349973482102a5201fd57485188b3086f06ce52fb62207af509a5c568bc5

  • SHA512

    5313a8df265889a0c53d052dbcd55f2f4047713ff62c216e5318eaecaad79a94eadedc376f7bd8568c3b2486124aa539408d3d4ac2d60822c0a60c339d258cca

  • SSDEEP

    384:E3eVES+/xwGkRKJ9RvklM61qmTTMVF9/q5lW0:bGS+ZfbJ9R8O8qYoAh

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a28fea08d5aa82b03da4565c0d55603.exe
    "C:\Users\Admin\AppData\Local\Temp\0a28fea08d5aa82b03da4565c0d55603.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3396
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c set
        3⤵
          PID:3280
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /all
          3⤵
          • Gathers network information
          PID:1320
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4912
        • C:\Windows\SysWOW64\net.exe
          net start
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:400
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start
            4⤵
              PID:1976
          • C:\Windows\SysWOW64\NETSTAT.EXE
            netstat -an
            3⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:220

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads