Overview

overview

7

Static

static

3

24987d19cd...43.exe

windows7-x64

7

24987d19cd...43.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    0s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 02:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24987d19cdb6465e228b9ebcc77c8343.exe

  • Size

    448KB

  • MD5

    24987d19cdb6465e228b9ebcc77c8343

  • SHA1

    2e17e290b6cc45f1c594c8d7c8aca34989757437

  • SHA256

    2b6bf3225b5fb2f360e04d0d52ce9833ad598f33d666555a05aa4fcc4057d83e

  • SHA512

    18e82b25698421a8f17d8ee99a740748dc8aa82e32482a862c965322186cb2b4ae2b8a4cc8c5193963f6ef8b1b5e274b768af02c4a890d36256cde8280bb2444

  • SSDEEP

    12288:YtsyqHEPPVfDtqqCorzYxSig7z8XYavxbgfAGqsuxsAY0i:1yAYeqPElg70Yuywe/

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24987d19cdb6465e228b9ebcc77c8343.exe
    "C:\Users\Admin\AppData\Local\Temp\24987d19cdb6465e228b9ebcc77c8343.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Users\Admin\AppData\Local\Temp\winini.exe
      "C:\Users\Admin\AppData\Local\Temp\winini.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2940
  • C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\VF9Q3KVYEZ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\VF9Q3KVYEZ.exe:*:Enabled:Windows Messanger" /f
    1⤵
    • Modifies registry key
    PID:2140
  • C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    1⤵
    • Modifies registry key
    PID:2208
  • C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    1⤵
    • Modifies registry key
    PID:2684
  • C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\winhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\winhost.exe:*:Enabled:Windows Messanger" /f
    1⤵
    • Modifies registry key
    PID:2664
  • C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\VF9Q3KVYEZ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\VF9Q3KVYEZ.exe:*:Enabled:Windows Messanger" /f
    1⤵
      PID:2908
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      1⤵
        PID:2648
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\winhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\winhost.exe:*:Enabled:Windows Messanger" /f
        1⤵
          PID:2788
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          1⤵
            PID:2916
          • C:\Users\Admin\AppData\Local\Temp\winhost.exe
            C:\Users\Admin\AppData\Local\Temp\winhost.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2872

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1320-0-0x0000000074560000-0x0000000074B0B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1320-2-0x0000000074560000-0x0000000074B0B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1320-3-0x0000000000500000-0x0000000000540000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1320-13-0x0000000074560000-0x0000000074B0B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2872-25-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/2872-49-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/2872-23-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/2872-21-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/2872-59-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/2872-57-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/2872-56-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/2872-29-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/2872-53-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/2872-44-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/2872-45-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/2872-47-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/2872-48-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/2872-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2872-51-0x0000000000400000-0x000000000045A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/2940-15-0x0000000000650000-0x0000000000690000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2940-38-0x0000000074560000-0x0000000074B0B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2940-14-0x0000000074560000-0x0000000074B0B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2940-17-0x0000000074560000-0x0000000074B0B000-memory.dmp

            Filesize

            5.7MB

            Download