Overview

overview

10

Static

static

3

449845d529...3d.exe

windows7-x64

10

449845d529...3d.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    3s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    05-01-2024 22:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    449845d529457a2862f3e5a10d345f3d.exe

  • Size

    396KB

  • MD5

    449845d529457a2862f3e5a10d345f3d

  • SHA1

    4e71580f25c114bcf38fc39d896f037800e078af

  • SHA256

    b26a3c807fe28c3d6755ab871665bae40da4cda11927e7468b8cfe96f8673ed1

  • SHA512

    cd6bfefc88329620ebbd2a59cea8660fbc90688b9d140030e823772dbcf8160ff8b547f5fa3e118a68cba3cbdc671449fd874211dae0113d2d8ada16e1082c3a

  • SSDEEP

    6144:/QMirGyGQBBVOJnptAHDKKo/VaShM4D4JzVPHd6DSNNTXWGCDQ:WrBxsptlK8D2JPHcGHXWV

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 10 IoCs
    evasiontrojan
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\449845d529457a2862f3e5a10d345f3d.exe
    "C:\Users\Admin\AppData\Local\Temp\449845d529457a2862f3e5a10d345f3d.exe"
    1⤵
    • Windows security bypass
    • Loads dropped DLL
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\ProgramData\043A6A5B00014973000BB725B4EB2331\043A6A5B00014973000BB725B4EB2331.exe
      "C:\ProgramData\043A6A5B00014973000BB725B4EB2331\043A6A5B00014973000BB725B4EB2331.exe" "C:\Users\Admin\AppData\Local\Temp\449845d529457a2862f3e5a10d345f3d.exe"
      2⤵
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      PID:2968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\043A6A5B00014973000BB725B4EB2331\043A6A5B00014973000BB725B4EB2331.exe
    Filesize

    53KB

    MD5

    aa6f5bbe06159f2e31cbbf5d70d6a2e2

    SHA1

    440c48f61d87ba1bf5a050dc77ef04903bbe6c10

    SHA256

    8ef7e83e7ad7e06dcc62730fba7bf5b903f53ca5b7b26d495355b9b7fb9a2df4

    SHA512

    b4667d7181f875d945e0968f2fe9492bbd536e4458aa34fa1a7bf640b1f0fe1bc40d83c2b47e593c3c2e17155b444f77cb64a9f5a251baecb0da09b3b8b3a408

    Download Submit
  • C:\ProgramData\043A6A5B00014973000BB725B4EB2331\043A6A5B00014973000BB725B4EB2331.exe
    Filesize

    41KB

    MD5

    7d6ccf27c3c81cbd56365737fdf73e4f

    SHA1

    cef5c212de515428cbd6aeeb647cd35e7b999461

    SHA256

    df531a1b2146942ba77785ba55aa8dc574c4adfe5e0e292802c99b7e8ddf61de

    SHA512

    8d26e44d761c27069ae8a1522f52fcadf96be15f78803172207b9a4dac52b8cc13217df7a15de8b50268220b9d44a4943e94cabe507699196512e672482e3528

    Download Submit
  • C:\ProgramData\043A6A5B00014973000BB725B4EB2331\043A6A5B00014973000BB725B4EB2331.exe
    Filesize

    10KB

    MD5

    47279d29533501e7af4f2a202726feb0

    SHA1

    d9795c132591c5835a22971cfd654c322b295953

    SHA256

    87410af77abf521db7b3a49004e65ca3c99aca9b7e5cf507bbdbc48261d0b516

    SHA512

    4b4d779bbb3b664d4f95c2db2062f818da87a16f14c4f1fc2e238bf46a788e0987f3045e0f772da8f9c35855675289ae3b678a621d4343e61bbea06fb77d2d74

    Download Submit
  • \ProgramData\043A6A5B00014973000BB725B4EB2331\043A6A5B00014973000BB725B4EB2331.exe
    Filesize

    48KB

    MD5

    5954ba7f80dc18151f51a2de26081aaa

    SHA1

    ec97f10b226415c631cadbf859dbead59395226e

    SHA256

    1ee63bb2a1b2f2466469712ae3b30d9ef4866018a451faa7c635952695b17da5

    SHA512

    2c9c60f5062afce3ed9cb327deb5a4b44f0b02dd2e2748d07d6b3a7695f572fd67ef22bc35f471e76182a0af41c6a7aa29c72098bc7a8ee4d2a0a409ef3319a7

    Download Submit
  • \ProgramData\043A6A5B00014973000BB725B4EB2331\043A6A5B00014973000BB725B4EB2331.exe
    Filesize

    77KB

    MD5

    4b36ab4ac9a92ac8c0d781706f84be2d

    SHA1

    a84c1418c0a0fbe5c5ba5e22baa6cae5c30bea59

    SHA256

    6a293c4368a4898de67ff62505a4bc360cdbddd2137208891aa472cc9a301ccb

    SHA512

    e12798a0dd34e378ce9beabe97b8c0f0690de0de19d415f6a9569da43e37fc2259e6b29e7a610def6e42bb33666219824c6ebb1a888c6a7614d0f5482a1838f9

    Download Submit
  • memory/1276-0-0x00000000022A0000-0x00000000022A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1276-2-0x0000000000340000-0x0000000000341000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1276-34-0x0000000000410000-0x00000000004D8000-memory.dmp
    Filesize

    800KB

    Download
  • memory/1276-25-0x0000000000410000-0x00000000004D8000-memory.dmp
    Filesize

    800KB

    Download
  • memory/1276-27-0x00000000022A0000-0x00000000022A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1276-6-0x00000000003B0000-0x00000000003B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1276-3-0x0000000000410000-0x00000000004D8000-memory.dmp
    Filesize

    800KB

    Download
  • memory/1276-5-0x0000000000410000-0x00000000004D8000-memory.dmp
    Filesize

    800KB

    Download
  • memory/1276-4-0x0000000000410000-0x00000000004D8000-memory.dmp
    Filesize

    800KB

    Download
  • memory/1276-1-0x0000000000410000-0x00000000004D8000-memory.dmp
    Filesize

    800KB

    Download
  • memory/2968-20-0x0000000000410000-0x00000000004D8000-memory.dmp
    Filesize

    800KB

    Download
  • memory/2968-19-0x0000000000410000-0x00000000004D8000-memory.dmp
    Filesize

    800KB

    Download
  • memory/2968-26-0x0000000000410000-0x00000000004D8000-memory.dmp
    Filesize

    800KB

    Download
  • memory/2968-21-0x00000000003C0000-0x00000000003C2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2968-16-0x00000000002C0000-0x00000000002C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2968-37-0x0000000000410000-0x00000000004D8000-memory.dmp
    Filesize

    800KB

    Download
  • memory/2968-38-0x0000000000410000-0x00000000004D8000-memory.dmp
    Filesize

    800KB

    Download
  • memory/2968-43-0x0000000000410000-0x00000000004D8000-memory.dmp
    Filesize

    800KB

    Download