Overview

overview

8

Static

static

3

27a0db1e47...9e.exe

windows7-x64

8

27a0db1e47...9e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    2s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 04:11

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    27a0db1e476d5f99524225521dce569e.exe

  • Size

    52KB

  • MD5

    27a0db1e476d5f99524225521dce569e

  • SHA1

    ff30d543951d7d33a8ba415945ff1b973d169e0e

  • SHA256

    326b669abea961fc473bc010010cb96524bcfb5519157e55700a80f067a6d8af

  • SHA512

    2864645a2e7ff65253a0cda2f3e766e6619c14f6fb08e32b9bc471a92deb92d069ccd53d2ff73a13b656d9cca378d406f620091f62d8272062ed62c133920e06

  • SSDEEP

    768:C96E8n34lzc8VoE4tytrPsSm9vt51r4lzc6E8n3:Cw4Bc8+stAHl51r4Bc

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27a0db1e476d5f99524225521dce569e.exe
    "C:\Users\Admin\AppData\Local\Temp\27a0db1e476d5f99524225521dce569e.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4668
    • C:\Windows\SysWOW64\net.exe
      net stop sharedaccess
      2⤵
        PID:2764
      • C:\Windows\SysWOW64\net.exe
        net stop wscsvc
        2⤵
          PID:5080
        • C:\Windows\SysWOW64\sc.exe
          sc delete sharedaccess
          2⤵
          • Launches sc.exe
          PID:5084
        • C:\Windows\SysWOW64\sc.exe
          sc delete wscsvc
          2⤵
          • Launches sc.exe
          PID:4228
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\27a0db1e476d5f99524225521dce569e.bat C:\Users\Admin\AppData\Local\Temp\27a0db1e476d5f99524225521dce569e.exe C:\Users\Admin\AppData\Local\Temp\27a0db1e476d5f99524225521dce569e.bat
          2⤵
            PID:684
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop sharedaccess
          1⤵
            PID:2616
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop wscsvc
            1⤵
              PID:3944
            • C:\Windows\System32\sihclient.exe
              C:\Windows\System32\sihclient.exe /cv RGNuxtVvy0OUqMMGfSahNQ.0.2
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:5080
            • C:\Windows\system32\backgroundTaskHost.exe
              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2764

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/2764-3-0x0000000074FF8000-0x0000000074FF9000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4668-0-0x0000000000400000-0x000000000040D000-memory.dmp

                    Filesize

                    52KB

                    Download