Overview

overview

8

Static

static

3

27a0db1e47...9e.exe

windows7-x64

8

27a0db1e47...9e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    124s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 04:11

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    27a0db1e476d5f99524225521dce569e.exe

  • Size

    52KB

  • MD5

    27a0db1e476d5f99524225521dce569e

  • SHA1

    ff30d543951d7d33a8ba415945ff1b973d169e0e

  • SHA256

    326b669abea961fc473bc010010cb96524bcfb5519157e55700a80f067a6d8af

  • SHA512

    2864645a2e7ff65253a0cda2f3e766e6619c14f6fb08e32b9bc471a92deb92d069ccd53d2ff73a13b656d9cca378d406f620091f62d8272062ed62c133920e06

  • SSDEEP

    768:C96E8n34lzc8VoE4tytrPsSm9vt51r4lzc6E8n3:Cw4Bc8+stAHl51r4Bc

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Deletes itself 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27a0db1e476d5f99524225521dce569e.exe
    "C:\Users\Admin\AppData\Local\Temp\27a0db1e476d5f99524225521dce569e.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Windows\SysWOW64\net.exe
      net stop wscsvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop wscsvc
        3⤵
          PID:2804
      • C:\Windows\SysWOW64\net.exe
        net stop sharedaccess
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop sharedaccess
          3⤵
            PID:2752
        • C:\Windows\SysWOW64\sc.exe
          sc delete wscsvc
          2⤵
          • Launches sc.exe
          PID:2704
        • C:\Windows\SysWOW64\sc.exe
          sc delete sharedaccess
          2⤵
          • Launches sc.exe
          PID:2740
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\27a0db1e476d5f99524225521dce569e.bat C:\Users\Admin\AppData\Local\Temp\27a0db1e476d5f99524225521dce569e.exe C:\Users\Admin\AppData\Local\Temp\27a0db1e476d5f99524225521dce569e.bat
          2⤵
          • Deletes itself
          PID:2156

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\27a0db1e476d5f99524225521dce569e.bat
              Filesize

              69B

              MD5

              e3b0a4ae48f7cfe95b51f8d3cfd329d0

              SHA1

              16d9435d895dcf1680baf5b8ebc6342f561af049

              SHA256

              90423a49e145f44c6cefc80ba4351d04a4eaaee2b86e38aad1d9927fbad3d7bf

              SHA512

              5abd674b6e8896bedacd7e0ae593d49771f5c5a036adab1963a37e38f5f2cf185b157d101e97c6e1572b5ae4dfcbfa0470871b2faa0a8d96c6dae19b1329b9f3

              Download Submit

            • memory/2900-0-0x0000000000400000-0x000000000040D000-memory.dmp

              Filesize

              52KB

              Download