Overview

overview

8

Static

static

3

56a11d42e1...03.exe

windows7-x64

8

56a11d42e1...03.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    147s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12/01/2024, 13:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    56a11d42e185594f15ca13307e3b8803.exe

  • Size

    319KB

  • MD5

    56a11d42e185594f15ca13307e3b8803

  • SHA1

    117d5ecb4d77c833db938702c1d3c199c690d24a

  • SHA256

    966d59c3472a79da16791a85b2094b15009148c72054074787eed977520b7b8f

  • SHA512

    d44523063c65087b4dedecf57b443b0e5faa5e4045c4dac7b80e548799e3e7de9431426891aff43dcd0440a14fce468f0e8029bbe5e975a434e185c664cc9e80

  • SSDEEP

    3072:qA4jqSSpO3YlFO4pG6WR+PQjiH6xti2R50YjPdUoLuI2ugUce9FtlD7y4Nhk3SvC:qyO3IBvGuHuggDt95Pk3Eawc97WP

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\56a11d42e185594f15ca13307e3b8803.exe
    "C:\Users\Admin\AppData\Local\Temp\56a11d42e185594f15ca13307e3b8803.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\AppData\Local\otb.exe
      "C:\Users\Admin\AppData\Local\otb.exe" -gav C:\Users\Admin\AppData\Local\Temp\56a11d42e185594f15ca13307e3b8803.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      PID:1960
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2420

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Local\otb.exe
          Filesize

          319KB

          MD5

          0be35baa3796a735b8931700277ea6a5

          SHA1

          9563c2b3d25cf976fc840b07a6b278d7d2df44cf

          SHA256

          c22b88ec5616e7fb0c45622b4427aa9f621eff7aa4a3c0536eaf8a55fddd44ac

          SHA512

          35a1d8a70bd67390c54382a280085a95a701755e68ebca628b3e6898f2a0b32f203df1a2acd93619cf3260ffaaedfc66d098897a05e70cb1f2cb90d0c8251546

          Download Submit

        • memory/1960-13-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/1960-17-0x0000000001E20000-0x000000000222E000-memory.dmp

          Filesize

          4.1MB

          Download

        • memory/1960-16-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/1960-14-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/2240-3-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/2240-12-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/2240-0-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/2240-2-0x0000000001DC0000-0x0000000001EDD000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2240-1-0x0000000001FB0000-0x00000000023BE000-memory.dmp

          Filesize

          4.1MB

          Download

        • memory/2420-15-0x0000000004210000-0x0000000004211000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2420-19-0x0000000004210000-0x0000000004211000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2420-33-0x0000000002670000-0x0000000002680000-memory.dmp

          Filesize

          64KB

          Download