Overview

overview

8

Static

static

3

4e2e1f3ac5...72.exe

windows7-x64

8

4e2e1f3ac5...72.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2024, 11:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e2e1f3ac55c19e9f30f8eb5e962d172.exe

  • Size

    42KB

  • MD5

    4e2e1f3ac55c19e9f30f8eb5e962d172

  • SHA1

    37cb4556fb983bcfe043b04413d7faea5312b716

  • SHA256

    2de69f07a6f6b29d11ada45396474e4186f7dc796a02a957c79f48dc4ae77bc2

  • SHA512

    8981409c69e9b13bf99960efc345e4473198c87cc23b1590ecb5a9524572c85e47c4a19c4cef06b2f017fea442ba91e7750b496c5653fc2958d7abf37a4bec3d

  • SSDEEP

    768:aYbywQ/j4ebRLNAYfQIVR8xS5auCo2Wc8TBxBzHFf4Oefx4hcldZPJUqycgLHY:SMGdNL4IVR8xS5aurhdHrh0dZxqx4

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e2e1f3ac55c19e9f30f8eb5e962d172.exe
    "C:\Users\Admin\AppData\Local\Temp\4e2e1f3ac55c19e9f30f8eb5e962d172.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Windows\Fonts\svchost.exe
      C:\Windows\Fonts\svchost.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1756
    • C:\Windows\Fonts\sys
      C:\Windows\Fonts\sys
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer start page
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del C:\Windows\Fonts\sys
        3⤵
          PID:1212
      • C:\Windows\Fonts\cmvd
        C:\Windows\Fonts\cmvd
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        PID:3756
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        2⤵
        • Loads dropped DLL
        PID:1588
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\DEL.bat
        2⤵
          PID:4756

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Fonts\cmvd
        Filesize

        12KB

        MD5

        a9183e73dde5835593abd4761c73c1b4

        SHA1

        146985905b167b730b16aa8cb9a8aa8275ae89c2

        SHA256

        74081a6cbae959c4c0d1c967a6fdb313ba62ffdaeabd6d14fcd64d31e82ec297

        SHA512

        227f00037d3a8ef030e71892de7821c4d0c4c34cdd8db92f93e2fe0fbc6841520c92bf322456132ef17b61d19a43c2c334d3b644befa5700f00914e2a50e7161

        Download Submit

      • C:\Windows\Fonts\svchost.exe
        Filesize

        5KB

        MD5

        9b8cffa5abe8350d9d9d2af54c851e50

        SHA1

        7adb7ef3bec64528806a327e70026dd7df11e8f5

        SHA256

        6967469c99439ead9abf03f1fd3ac0153d4ef7f1906739fa75df45c2e67a3bec

        SHA512

        a14c60a193b65e29f2c2c4580287d3d82371fb4b4a78fe1f68a39e2c1badff02bbecececa987cff92182d7ba6c4f3ce64e975fa7ce08197a5bf41942ba26ff7f

        Download Submit

      • C:\Windows\Fonts\sys
        Filesize

        1KB

        MD5

        f4ed1044cc0d6cc42e440711fb793351

        SHA1

        32c7448eb4c5696b3c15322ddd9106e42eb22c10

        SHA256

        5889649d626751af6b05482ecc398a02d453467f10fdfff2b94e50c85866488d

        SHA512

        47d8a728bb18c1b8acdf1dcc9e66e9093bf332368ea202c21a00d9bb17983f83dbefab9ee1e0baee7f4be236de445f0ff83c9b4a69ca6055d1916df4c75b5e78

        Download Submit

      • C:\Windows\SysWOW64\dbwozuyb.dll
        Filesize

        13KB

        MD5

        015a4e6ca2f0595f57d51aaa77744746

        SHA1

        773c3cd62352264886c34e54b53bf4acdcf4432a

        SHA256

        095f63cad6c7eb7f4b7a51e718e5f9debb48d1733121220d6c32fbda48cb1406

        SHA512

        1e4d72353a845361c304a222e59838d9f0c2f025e12444f6f8ff8d9055af33b86ae22dd698154fd7ac6f906a7c985426629733d98bc71740a02a4c92b2734578

        Download Submit

      • \??\c:\DEL.bat
        Filesize

        182B

        MD5

        9542d4c7ac8e1ba543a61952b5cb7cd2

        SHA1

        91cc1cb364a761337935e99546d379db5892a19d

        SHA256

        321612956a4cedcad9b71ebda90aea222124af71aef64a50317c689f6ef44d7e

        SHA512

        6ab46d7a670502d0cc6765492f96b9b158fbd1fb627b8f758149a228300e96581167c968c5a74d19c57fb927d7e47825715a574c8d308d1ebf8db9009a1a415f

        Download Submit

      • memory/1588-19-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/1588-20-0x0000000000300000-0x0000000000310000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1588-21-0x0000000002B90000-0x0000000002B91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1588-23-0x0000000000300000-0x0000000000310000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1588-24-0x0000000002B90000-0x0000000002B91000-memory.dmp

        Filesize

        4KB

        Download