Overview

overview

7

Static

static

3

4c47c0a448...bb.zip

windows7-x64

1

4c47c0a448...bb.zip

windows10-2004-x64

1

wgsdgsdgdsgsd.exe

windows7-x64

7

wgsdgsdgdsgsd.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    4s
  • max time network
    49s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/01/2024, 19:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wgsdgsdgdsgsd.exe

  • Size

    231KB

  • MD5

    83958cceb1f999ba2c7a74a41b65e528

  • SHA1

    0931d6872fc0f161b6b526605c233196b11f27f5

  • SHA256

    f15cadad17e1c67c984115d113ac2806c32131bb5170f524e4031e01c9808d9b

  • SHA512

    8df77821817858cd07b43eb9f802c8dc5c3964157d3792d13e535ea0bfd7a4ced119ff14f832157564b3bab8f0cfdd58d64339d5e52d10440a33798263ab1021

  • SSDEEP

    6144:5SAP3uarIOe3GQYjUUSDZvSt0rcNNn+VrNmtgFOQOxmZCfjTYSaTpd:5SS3XrIOebtdvLrGN8maFbdZ0jTYfTP

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3940
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
        PID:3876
      • C:\Windows\system32\backgroundTaskHost.exe
        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
        1⤵
          PID:2188
        • C:\Windows\system32\backgroundTaskHost.exe
          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
          1⤵
            PID:4540
          • C:\Windows\system32\backgroundTaskHost.exe
            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
            1⤵
              PID:1516
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
                PID:752
              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                1⤵
                  PID:5004
                • C:\Users\Admin\AppData\Local\Temp\wgsdgsdgdsgsd.exe
                  "C:\Users\Admin\AppData\Local\Temp\wgsdgsdgdsgsd.exe"
                  1⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:5092
                  • C:\Users\Admin\AppData\Local\Temp\wgsdgsdgdsgsd.exe
                    "C:\Users\Admin\AppData\Local\Temp\wgsdgsdgdsgsd.exe"
                    2⤵
                    • Suspicious use of SetThreadContext
                    • Modifies Internet Explorer settings
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3884
                    • C:\Users\Admin\AppData\Roaming\Obzory\erebm.exe
                      "C:\Users\Admin\AppData\Roaming\Obzory\erebm.exe"
                      3⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of WriteProcessMemory
                      PID:2104
                      • C:\Users\Admin\AppData\Roaming\Obzory\erebm.exe
                        "C:\Users\Admin\AppData\Roaming\Obzory\erebm.exe"
                        4⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:1624
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp460aa298.bat"
                      3⤵
                        PID:3208
                        • C:\Windows\System32\Conhost.exe
                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          4⤵
                            PID:3564
                    • C:\Windows\System32\RuntimeBroker.exe
                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                      1⤵
                        PID:1220
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:3356
                        • C:\Windows\System32\RuntimeBroker.exe
                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                          1⤵
                            PID:3584
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                              PID:4020
                            • C:\Windows\system32\DllHost.exe
                              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                              1⤵
                                PID:3772
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                1⤵
                                  PID:3548
                                • C:\Windows\Explorer.EXE
                                  C:\Windows\Explorer.EXE
                                  1⤵
                                    PID:3412
                                  • C:\Windows\system32\taskhostw.exe
                                    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                    1⤵
                                      PID:2580
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                      1⤵
                                        PID:2448
                                      • C:\Windows\system32\sihost.exe
                                        sihost.exe
                                        1⤵
                                          PID:2392

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Roaming\Obzory\erebm.exe
                                          Filesize

                                          6KB

                                          MD5

                                          eb7a8a9444bc11375b36c55d78dc2d73

                                          SHA1

                                          7d8c47ceb119b31c2b0d4a3caf3ff5290d325d99

                                          SHA256

                                          4adfb5da1fda3e378c81c58e424eeb02fb2a793282fe33f83a8336314b1f2f9d

                                          SHA512

                                          3420f39fb45f441ac7a0672334c8b32297b11402b3befea6a77f009fc27835e71bdb11ab6b1181f1c9fe690d67d27708f9523ea63e33a80d9fe174223f3155cf

                                          Download Submit

                                        • C:\Users\Admin\AppData\Roaming\Obzory\erebm.exe
                                          Filesize

                                          4KB

                                          MD5

                                          209f0d4b4726cde3add94ffa7065be8c

                                          SHA1

                                          2bb4b16ebebd9ff9c5b598296e18fc8f8cebe87d

                                          SHA256

                                          4cbdb56bbd8810ddff664a22ce0951f6dcb7ac83a2a57ca370175c98b9fa6a7f

                                          SHA512

                                          fb7479a81107bcd8d96fbdb124040a532572bd884163d2f7e725befc64f486ab99b783ef4a6e254f6dd224049ada488904e866dcdffd38f53604ddc58923ad6e

                                          Download Submit

                                        • memory/1624-32-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/1624-27-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/1624-64-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/1624-62-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/1624-58-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/1624-56-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/1624-55-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/1624-29-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/1624-28-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/1624-36-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/1624-40-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/1624-34-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/1624-33-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/1624-38-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/1624-16-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/1624-31-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/1624-35-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/1624-30-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/3208-20-0x0000000000370000-0x00000000003AC000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/3208-37-0x0000000000370000-0x00000000003AC000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/3884-21-0x0000000077383000-0x0000000077384000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/3884-19-0x00000000021E0000-0x000000000221C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/3884-22-0x00000000021E0000-0x000000000221C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/3884-24-0x0000000002260000-0x0000000002261000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/3884-2-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/3884-17-0x00000000021E0000-0x000000000221C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/3884-23-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/3884-3-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/3884-6-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/3884-5-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/3884-4-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/3884-0-0x0000000000400000-0x000000000043C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download