Overview

overview

6

Static

static

3

2123420265...63.exe

windows7-x64

6

2123420265...63.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 00:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2123420265056e81e0aeb538a10c6e63.exe

  • Size

    24KB

  • MD5

    2123420265056e81e0aeb538a10c6e63

  • SHA1

    dfcc80ea5a2ce474893894a4c191a215675824cc

  • SHA256

    1eb91772e8c6962a0b5f634cad54192cbcac82a055800d610505ab574d11d0d3

  • SHA512

    8f2f03f2e843ae26af168cdeb79c6002f520d5c4579e72510d4a5f58ae4dd9fbe885d2c95e650b2a1faf94a471fd8adaa3a2ee83637d0207e274a5e7ab3b8324

  • SSDEEP

    384:E3eVES+/xwGkRKJDF5lM61qmTTMVF9/q570:bGS+ZfbJDzO8qYoAQ

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2123420265056e81e0aeb538a10c6e63.exe
    "C:\Users\Admin\AppData\Local\Temp\2123420265056e81e0aeb538a10c6e63.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:988
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3648
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /all
        3⤵
        • Gathers network information
        PID:1708
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2236
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c set
        3⤵
          PID:1672
        • C:\Windows\SysWOW64\net.exe
          net start
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3576
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start
            4⤵
              PID:1692
          • C:\Windows\SysWOW64\NETSTAT.EXE
            netstat -an
            3⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:628

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \??\c:\windows\temp\flash.log
        Filesize

        15KB

        MD5

        8a1244867e001547673fddee2dc70402

        SHA1

        aab8cc1bca8ad3fb6d548017d29ee580b2edf283

        SHA256

        ad0052477e38125160e3a31bf647432e41c0e7214484c8eb3c9cde0988e70a7a

        SHA512

        665c04ecec86aeaf417e074a0ca53336ae42065f13ab4584412b2b5401c5ed5d695c28f422e0cdd71978c2068a208bea0a4c1a87ca808cd86b993f45cf79fb3f

        Download Submit