Overview

overview

7

Static

static

3

3692724c6c...db.exe

windows7-x64

7

3692724c6c...db.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 12:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3692724c6c6208acdd9db8a4b2cf7adb.exe

  • Size

    70KB

  • MD5

    3692724c6c6208acdd9db8a4b2cf7adb

  • SHA1

    58de076c2f5c2dda9e00d14a297fbff3160b523a

  • SHA256

    50644758dd298eec64d6572a9cb3d4a129f52f4e40b6cf0ffa0b80bccafaed20

  • SHA512

    ed8d69f0c21e6074c0e678da4fc5a04cf016e6c3e61e7ac7a49a2bfb4f5102bdb70a00bd69c609d6a157b1c83f4782476e67542f90d07ccea44b02e2d839c4f5

  • SSDEEP

    768:Edskb6E3ulbftsgT0z7GDkmKV2KljK1sQbAQusQZ7uuK3P1s/e/NVP9umROF4HQ8:Eem3ulb1sggnyC9csSA+vdsVESYWNru

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3692724c6c6208acdd9db8a4b2cf7adb.exe
    "C:\Users\Admin\AppData\Local\Temp\3692724c6c6208acdd9db8a4b2cf7adb.exe"
    1⤵
    • Checks computer location settings
    • Modifies WinLogon
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\bfsvc.exe
      C:\Windows\bfsvc.exe
      2⤵
        PID:2804
      • C:\Windows\bfsvc.exe
        C:\Windows\bfsvc.exe
        2⤵
          PID:2820

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2008-0-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2008-1-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2008-2-0x000000007DD60000-0x000000007DE70000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/2008-13-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download