Overview

overview

10

Static

static

3

4887672fa6...01.exe

windows7-x64

10

4887672fa6...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-01-2024 08:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4887672fa6fd896dbf012cfa1bae2a01.exe

  • Size

    13KB

  • MD5

    4887672fa6fd896dbf012cfa1bae2a01

  • SHA1

    cd859d5971869a7e0525c4d6dc4af83a52347f95

  • SHA256

    a1ceddc9d7da293f5407e7a5ade3e15c3469f2edcb34571e1d013faad18a005b

  • SHA512

    eff6ae3ac8dc94741ff984901d5ba2bec329a24fcaef5bfea9b30c64271d1bd9a0018ec4e987aa222a9d9256cfee2ee4ec1fb088f733cef407ac9d3fc141a431

  • SSDEEP

    384:81a5rf+4/Q748EUZXORGGLno3T9oqjbZI6ufkZ87T5f:81a5wVlcRG4avy6FZ87TJ

Score
10/10
persistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4887672fa6fd896dbf012cfa1bae2a01.exe
    "C:\Users\Admin\AppData\Local\Temp\4887672fa6fd896dbf012cfa1bae2a01.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\BB61.tmp.bat
      2⤵
        PID:3580

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\BB61.tmp.bat
      Filesize

      179B

      MD5

      2d3af247c02b5cf355a1024ab024053d

      SHA1

      481ac1a5d35c9265858fde7de27222f42349d76a

      SHA256

      fe2330884fc1694223c87f0d9b26a69481a91624ce98387b912fdd7970c14a81

      SHA512

      7ffe10be0b02870e206f5c5bedb19e490dc8ad49cc701919bc24219e02ab3327a61a2bf04b2a7e6d1d9654687ef5dd337ff222c7b752b22c2a416798b65ef0ea

      Download Submit

    • C:\Windows\SysWOW64\catsrvwl.dll
      Filesize

      93KB

      MD5

      e3da706519895933a2456e89a05291c4

      SHA1

      093e1b08d8855ed1b570eeb699d216725edd5e51

      SHA256

      cedfd9b27a204815663109f513cf1871678ff11d7dcb733b1ee7a5ec307f98ce

      SHA512

      77c7418d1d50d65bd55416a4ed122d23a26760ea00f31f7b82bde9338f4347fc0927d20134b0521fb1e3a78fc22a78efc8cbcd5abc70468ce7836d976699594b

      Download Submit

    • C:\Windows\SysWOW64\catsrvwl.nls
      Filesize

      428B

      MD5

      bf4b1e3f06909ab8e6db92588c0c18f3

      SHA1

      35b033da3ddc8e693599e985d1c9799f582b5922

      SHA256

      e09567d98ed6fa4c3c31828a2744fc8142c9e934d6cbab55050f4759789ef30f

      SHA512

      eaa42b06298cc0cf675d7275bf7061a6f96b5b1abb1049e8015effc01439d7f52be5eb4574fdcff45e6a68edbe478c88ff218a51d33b933cc279b14f67ed963b

      Download Submit

    • C:\Windows\SysWOW64\catsrvwl.tmp
      Filesize

      519KB

      MD5

      3ed13306996f39ac4fbd901639810f04

      SHA1

      87782e71c1a002cc2c638c2a24c000714a7dc76f

      SHA256

      b548252ce017d63b129ac520476ffde39e6997ed7e95e6661fa419dd3b646e86

      SHA512

      90a7c6c1c0cf546e5359ce6b004b4a65d807c7dd45a70ca791734a046a3f7585b1210235dc603c5664ce4f1dd5d25ce37faa8112fe00e417b3d9038688fb6e95

      Download Submit

    • memory/2652-17-0x0000000020000000-0x000000002000A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2652-21-0x0000000020000000-0x000000002000A000-memory.dmp

      Filesize

      40KB

      Download