Overview

overview

8

Static

static

3

2cf7335ae9...60.exe

windows7-x64

7

2cf7335ae9...60.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    28s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2023 07:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2cf7335ae9b05e449dacd2b95693ba60.exe

  • Size

    672KB

  • MD5

    2cf7335ae9b05e449dacd2b95693ba60

  • SHA1

    8795ca628e1a7bc0d1f33203af2702a5b7b8bfc8

  • SHA256

    02837e7c28378e0517e0efe433ef3f8e0b4d9daebdb4b9cff0df4ab1ba3ce163

  • SHA512

    2e9cda0631e47533ac5a1e6dfd14a6a770527480068355b0d92ef0da2b8c3bc18910f5a025e3d8aef8840c974e1ec6c1963d543c71a3a3239706111b6286b27b

  • SSDEEP

    12288:neBNUbTVO86UCHruRdp+WA00SKCpVRwfHXSVUhbxk9e/pJu:nJIUCNd0nKwYPX+UhbW9eM

Score
8/10
discoveryevasiontrojan

Malware Config

Signatures

  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 37 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2cf7335ae9b05e449dacd2b95693ba60.exe
    "C:\Users\Admin\AppData\Local\Temp\2cf7335ae9b05e449dacd2b95693ba60.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1148
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:1904
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:3304
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:3880
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:3888
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4232
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3936
    • C:\Windows\system32\SearchIndexer.exe
      C:\Windows\system32\SearchIndexer.exe /Embedding
      1⤵
        PID:2056
        • C:\Windows\system32\SearchProtocolHost.exe
          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
          2⤵
            PID:4528
          • C:\Windows\system32\SearchFilterHost.exe
            "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
            2⤵
              PID:3472

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
            Filesize

            672KB

            MD5

            1c5e7fa8b9c7f265ae0a954ad68bfc57

            SHA1

            354d90b21e3bcdab7481a3b9be99785263694d66

            SHA256

            ef16560bf1a3473805ec629661c45214fead5eb4d671539a5a70fa45c90a99a9

            SHA512

            ce041244f7d209fe9fdaedddc2e8b1fdd3cc891819761274d157ba2c7aa1c3d3d7420f8729431f337a295b07526669d317b52b87ea0f7cc1d7b0ad48c5676cce

            Download Submit

          • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
            Filesize

            738KB

            MD5

            60af24fa3fb9eaecd7c6771ba44a2651

            SHA1

            e2c93eb1273251524faa3b01983edc5309d973d0

            SHA256

            b880d41feff46fa845aedc9ab1474eb57f9d226a4806443e148c5fe642925da7

            SHA512

            d920bc4c6637bb6924b9fd48a2ebd466083b891339ff2b4086381b97a11cfcd4a156fb97028d19363f6e92ab2e043fa58c62392fc00d97c1ef82a7f978f7cee6

            Download Submit

          • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
            Filesize

            1.7MB

            MD5

            07b57daff58c840ac91b683d04c5e080

            SHA1

            e3553b88b8d639374945c83178017ef02f0b19e7

            SHA256

            c596cfdd5598f9cd9925b864411552ed1cb716765dc94d083be3647b19cd13ee

            SHA512

            7f83f45e900705bf4d5e6e171c76b7d1efffd95ca7e528b9d874dca3c1e94c6b573928f1635f632b13f6c13ecff5b774253e0448393d968317cd46b807a5099a

            Download Submit

          • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
            Filesize

            2.5MB

            MD5

            3e7fe0356aa7fc3124e1c5e1a5e97bad

            SHA1

            4f9f2b4e0e6f75d39c995dfd949fd1a9bdee462f

            SHA256

            cd262819a94a6585ee53144cc057c585b75ac2f711285d05f23a7a2a8d72df8f

            SHA512

            c6475c1ef10b6a7970bb9dc43dacb714ae07a0a85209f9c6e1715c44f3b5abb7a6d123a14906ebdc2f451ec943371dbd982562e7d7fae57b88b174b22361933a

            Download Submit

          • memory/1148-0-0x00007FF6F7AB0000-0x00007FF6F7BB0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1148-83-0x00007FF6F7AB0000-0x00007FF6F7BB0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1148-2-0x00007FF6F7AB0000-0x00007FF6F7BB0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1904-144-0x00007FF7C8070000-0x00007FF7C8143000-memory.dmp

            Filesize

            844KB

            Download

          • memory/1904-45-0x00007FF7C8070000-0x00007FF7C8143000-memory.dmp

            Filesize

            844KB

            Download

          • memory/1904-17-0x00007FF7C8070000-0x00007FF7C8143000-memory.dmp

            Filesize

            844KB

            Download

          • memory/2056-334-0x00007FF7EA4A0000-0x00007FF7EA643000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2056-233-0x00007FF7EA4A0000-0x00007FF7EA643000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2056-234-0x000001A981220000-0x000001A981230000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2056-250-0x000001A981320000-0x000001A981330000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2056-266-0x000001A985810000-0x000001A985818000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3304-29-0x00007FF654CC0000-0x00007FF654D92000-memory.dmp

            Filesize

            840KB

            Download

          • memory/3304-155-0x00007FF654CC0000-0x00007FF654D92000-memory.dmp

            Filesize

            840KB

            Download

          • memory/3472-384-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-290-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-293-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-294-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-302-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-311-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-315-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-310-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-320-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-323-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-324-0x000001A49A1C0000-0x000001A49A1D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-335-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-338-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-336-0x000001A49A1C0000-0x000001A49A1D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-280-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-309-0x000001A49A040000-0x000001A49A050000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-308-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-307-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-306-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-305-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-304-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-303-0x000001A49A040000-0x000001A49A050000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-301-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-300-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-347-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-348-0x000001A49A040000-0x000001A49A050000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-360-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-367-0x000001A49A040000-0x000001A49A050000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-368-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-369-0x000001A49A7F0000-0x000001A49A800000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-381-0x000001A49A040000-0x000001A49A050000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-383-0x000001A49A7F0000-0x000001A49A800000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-382-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-478-0x000001A49A840000-0x000001A49A850000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-370-0x000001A49A7F0000-0x000001A49A800000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-349-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-299-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-298-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-297-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-296-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-295-0x000001A49A040000-0x000001A49A050000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-292-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-291-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-281-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-288-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-289-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-287-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-286-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-285-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-284-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-283-0x000001A49A020000-0x000001A49A021000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3472-282-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-399-0x000001A49A1C0000-0x000001A49A1D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-400-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-410-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-409-0x000001A49A1C0000-0x000001A49A1D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-411-0x000001A49A7F0000-0x000001A49A800000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-392-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-279-0x000001A49A010000-0x000001A49A020000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-278-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-277-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-419-0x000001A49A830000-0x000001A49A840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-424-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-432-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-433-0x000001A49A830000-0x000001A49A840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-441-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-451-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-452-0x000001A49A830000-0x000001A49A840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-454-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-437-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-423-0x000001A49A7F0000-0x000001A49A800000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-418-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-276-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-275-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-466-0x000001A49A830000-0x000001A49A840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-470-0x000001A49A830000-0x000001A49A840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-476-0x000001A49A830000-0x000001A49A840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-477-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3472-471-0x000001A49A000000-0x000001A49A010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3888-37-0x00007FF69F4E0000-0x00007FF69F63F000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3888-36-0x00007FF69F4E0000-0x00007FF69F63F000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3936-183-0x00007FF640CA0000-0x00007FF640EF5000-memory.dmp

            Filesize

            2.3MB

            Download

          • memory/3936-54-0x00007FF640CA0000-0x00007FF640EF5000-memory.dmp

            Filesize

            2.3MB

            Download

          • memory/4232-44-0x00007FF7AD680000-0x00007FF7AD8E1000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4232-182-0x00007FF7AD680000-0x00007FF7AD8E1000-memory.dmp

            Filesize

            2.4MB

            Download