Overview

overview

7

Static

static

3

3f3d6951f1...4b.exe

windows7-x64

7

3f3d6951f1...4b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    03/01/2024, 22:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3f3d6951f1e6c629de173589dfd6614b.exe

  • Size

    626KB

  • MD5

    3f3d6951f1e6c629de173589dfd6614b

  • SHA1

    2f40f9a628486dba91f58594ed51387644a05415

  • SHA256

    7e9e67e1a7440dc410c96bcd68c249c13826a11863531efc3220459e573b2ee9

  • SHA512

    f955f26d26d25a7297045675e4ba78467e709dda8f3acbd0a82892e657f8e79bc8d124cca9ccb3473e54a757d6cfcbcf81ea4031dfdfc03c4952190e0e9feddf

  • SSDEEP

    12288:NnKV0kdbKuFKh2DywywdIlXKufF3Z4mxxF0MHoTAFbcDt2:Nn/SbKuFKADywMl6ufQmXFKBt2

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies data under HKEY_USERS 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f3d6951f1e6c629de173589dfd6614b.exe
    "C:\Users\Admin\AppData\Local\Temp\3f3d6951f1e6c629de173589dfd6614b.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\uninstal.bat
        3⤵
          PID:2896
    • C:\Windows\ghads.exe
      C:\Windows\ghads.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2748

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\uninstal.bat
            Filesize

            150B

            MD5

            5edd682a8b1f2bf873300774f954ab03

            SHA1

            2cca4e743d02dbccf31b784ea26a60c03dcc9637

            SHA256

            a34c51ec5d2ac66ef75719e7dee61b6e89e74d054712438da2585ec92ce0865a

            SHA512

            916f0e846a38f63aae996e2a3957fa24fed3bcaa6add68c529e3cc0aa063dca49b98d42c92317bfc2f43d745c492e1e1e6f5db0c986b9682f4b9b0cf0afd7bd2

            Download Submit

          • \Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
            Filesize

            269KB

            MD5

            70b1779bb079cae512cc18a413e5aeaa

            SHA1

            7845cd0e79f12cc83d4ce94b7df18a70cc66dc02

            SHA256

            bf23b2b611aa1805cf7e03081eeaebad50eb4730a14650b6a758a351c18a222c

            SHA512

            18459bb4033c242492a4417f655d9ce1ae8652e7de836f47d796ebe0b5b6540cbdb317676ae680b48a321a6a5fecda4dd40a500410e3f128690ca991cff9026f

            Download Submit

          • memory/1992-18-0x00000000035D0000-0x00000000036DB000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1992-2-0x0000000000910000-0x0000000000964000-memory.dmp

            Filesize

            336KB

            Download

          • memory/1992-12-0x00000000035D0000-0x00000000036DB000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1992-3-0x0000000003260000-0x0000000003264000-memory.dmp

            Filesize

            16KB

            Download

          • memory/1992-0-0x0000000001000000-0x00000000010A7000-memory.dmp

            Filesize

            668KB

            Download

          • memory/1992-1-0x0000000001000000-0x00000000010A7000-memory.dmp

            Filesize

            668KB

            Download

          • memory/1992-32-0x0000000001000000-0x00000000010A7000-memory.dmp

            Filesize

            668KB

            Download

          • memory/1992-33-0x0000000000910000-0x0000000000964000-memory.dmp

            Filesize

            336KB

            Download

          • memory/2748-35-0x0000000000400000-0x000000000050B000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2748-40-0x0000000000400000-0x000000000050B000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2748-22-0x0000000000400000-0x000000000050B000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2748-23-0x0000000000020000-0x0000000000021000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2748-37-0x0000000000020000-0x0000000000021000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2940-16-0x0000000000400000-0x000000000050B000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2940-31-0x0000000000400000-0x000000000050B000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2940-17-0x0000000000400000-0x000000000050B000-memory.dmp

            Filesize

            1.0MB

            Download