Overview

overview

7

Static

static

3

0e88d215c5...35.exe

windows7-x64

7

0e88d215c5...35.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 04:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e88d215c560501b6a4ba041c0d54635.exe

  • Size

    118KB

  • MD5

    0e88d215c560501b6a4ba041c0d54635

  • SHA1

    95a45dd007e93df49fbb91222476160f526ee12a

  • SHA256

    5b1a748fd59c47f872ed89cf33d3c55b61939d1686396458b5cec7a97351255f

  • SHA512

    c12471436dd95c894eaf26ce2a943929376c6a5e4ecc75016d3b029bfbc519aec1d1ccf545a205d9a0ea445fa6ccff3ad0b7f0508da557efa182cde6a8d811ea

  • SSDEEP

    3072:7ni7SKGEBa+LTcXuDENCtpFqYaG9w0Hi:Li71GhacXuDyCXFqTG90

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e88d215c560501b6a4ba041c0d54635.exe
    "C:\Users\Admin\AppData\Local\Temp\0e88d215c560501b6a4ba041c0d54635.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\SysWOW64\cmd.exe
      "cmd"
      2⤵
        PID:2404
      • C:\Users\Admin\AppData\Local\Temp\0e88d215c560501b6a4ba041c0d54635.exe
        0e88d215c560501b6a4ba041c0d54635.exe
        2⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Users\Admin\AppData\Local\Temp\lsass.exe
          "C:\Users\Admin\AppData\Local\Temp\lsass.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2600
      • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe
            wmpnetvk.exe
            4⤵
              PID:2700
      • C:\Users\Admin\AppData\Local\Temp\lsass.exe
        lsass.exe
        1⤵
        • Executes dropped EXE
        PID:1728

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe
        Filesize

        118KB

        MD5

        0e88d215c560501b6a4ba041c0d54635

        SHA1

        95a45dd007e93df49fbb91222476160f526ee12a

        SHA256

        5b1a748fd59c47f872ed89cf33d3c55b61939d1686396458b5cec7a97351255f

        SHA512

        c12471436dd95c894eaf26ce2a943929376c6a5e4ecc75016d3b029bfbc519aec1d1ccf545a205d9a0ea445fa6ccff3ad0b7f0508da557efa182cde6a8d811ea

        Download Submit

      • \Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe
        Filesize

        9KB

        MD5

        bebc70fd32454c81af2d47e74ec29cc9

        SHA1

        6b039556ac4841c5ce3650016bd7a1adb94df2ee

        SHA256

        bb891551f5fb9e76ca1034f7b03f8f4ee2e45ac0583eefd7b9e5b4e3c2fb48db

        SHA512

        7ca06e907aa64bc672334b54259cd13c85a0cde6263bc445b3a9c7d668ddd8d02ed881c799b140b99456b3be38618064bb33474934c7445b1564294014bf5813

        Download Submit

      • memory/1728-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-61-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2132-62-0x0000000074E50000-0x00000000753FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2132-1-0x0000000074E50000-0x00000000753FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2132-0-0x0000000074E50000-0x00000000753FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2132-2-0x0000000000770000-0x00000000007B0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2132-64-0x0000000000770000-0x00000000007B0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2132-63-0x0000000074E50000-0x00000000753FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2596-26-0x0000000074E50000-0x00000000753FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2596-27-0x0000000000460000-0x00000000004A0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2596-28-0x0000000074E50000-0x00000000753FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2596-65-0x0000000074E50000-0x00000000753FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2596-66-0x0000000000460000-0x00000000004A0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2596-67-0x0000000074E50000-0x00000000753FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2600-70-0x0000000074E50000-0x00000000753FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2600-71-0x0000000000330000-0x0000000000370000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2600-50-0x0000000074E50000-0x00000000753FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2600-55-0x0000000074E50000-0x00000000753FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2600-53-0x0000000000330000-0x0000000000370000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2628-34-0x0000000000530000-0x0000000000570000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2628-69-0x0000000000530000-0x0000000000570000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2628-35-0x0000000074E50000-0x00000000753FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2628-33-0x0000000074E50000-0x00000000753FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2628-68-0x0000000074E50000-0x00000000753FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2804-19-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2804-12-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2804-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2804-16-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2804-10-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2804-18-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2804-51-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2804-8-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2804-6-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download