Overview

overview

8

Static

static

3

58cbe9a20b...33.exe

windows7-x64

8

58cbe9a20b...33.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13-01-2024 11:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58cbe9a20b53d89afaf40c0ef190b033.exe

  • Size

    527KB

  • MD5

    58cbe9a20b53d89afaf40c0ef190b033

  • SHA1

    4f9fbde2fc0c8b414507f5c564f609890f3b1716

  • SHA256

    210f98b944421ed95d192ff591c5eb4992760bd7112674c78851f6ae286f20ab

  • SHA512

    97363820fb6adffe9046cd36689d65be2065afedd7178e0b3acf4d059e080b4c0592f6ceb08749eeb82e88fb07ba6a7f8ef6bcc134d204c2094d12d2759c7143

  • SSDEEP

    6144:6ZOYqQOHwd4Z6aeUT75+niG7sPFpWmU0rLHKQMNbuHy6BEXb3zXBJXtPP5kU4n3U:6ZGQKZ7r1y7kr2xNBtfftPmUEs+zC

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\58cbe9a20b53d89afaf40c0ef190b033.exe
    "C:\Users\Admin\AppData\Local\Temp\58cbe9a20b53d89afaf40c0ef190b033.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1768
    • C:\Users\Admin\AppData\Local\Temp\vWLKdLDhCL.exe
      "C:\Users\Admin\AppData\Local\Temp\vWLKdLDhCL.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\vWLKdLDhCL.exe
    Filesize

    135KB

    MD5

    746bf2ca2fd18b6d9929563cf7684d10

    SHA1

    4835b96432562d99de51396dcc946fd3d96ba26f

    SHA256

    e5a23252935d9abf1507cb9349dc4456a4f7bc4737e9de47bfeeaa3eb0ae57eb

    SHA512

    7aaba542696ff0cba23083dde21f461b964b340347abda5a56f5d7ac55a4c56e59be58c2bd10858f292931794d628a8c905fac61d1bcba8b295d6387ca282d96

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vWLKdLDhCL.exe
    Filesize

    193KB

    MD5

    18a691428bea4e91014fce2cd8263206

    SHA1

    b5f5bc103f5cc7c1caf61372eb7762d24c34a7cf

    SHA256

    9e14e8e4cf8f25bc865db104aa88c6c68b6c94b5608c4f245b5d25251b0cee7a

    SHA512

    b84687ac64d78ac0b60347eca196dcd436fd209e68af60b888ae39e3b2e9750a44b50e314d9f4eea40de840739147a606049841ed305260409973e39565ca40d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\vWLKdLDhCL.exe
    Filesize

    527KB

    MD5

    58cbe9a20b53d89afaf40c0ef190b033

    SHA1

    4f9fbde2fc0c8b414507f5c564f609890f3b1716

    SHA256

    210f98b944421ed95d192ff591c5eb4992760bd7112674c78851f6ae286f20ab

    SHA512

    97363820fb6adffe9046cd36689d65be2065afedd7178e0b3acf4d059e080b4c0592f6ceb08749eeb82e88fb07ba6a7f8ef6bcc134d204c2094d12d2759c7143

    Download Submit

  • memory/1768-0-0x0000000000330000-0x00000000003B2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1768-2-0x0000000000400000-0x000000000099E000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1768-36-0x0000000000400000-0x000000000099E000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2416-31-0x0000000074EA0000-0x0000000074FB0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2416-29-0x0000000077370000-0x0000000077371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-14-0x0000000010000000-0x00000000104EB000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2416-30-0x0000000074EA0000-0x0000000074FB0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2416-34-0x0000000002C10000-0x0000000002D10000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2416-33-0x0000000000D40000-0x0000000000D50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2416-32-0x0000000074EA0000-0x0000000074FB0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2416-35-0x0000000002C10000-0x0000000002D10000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2416-15-0x0000000002BA0000-0x0000000002C0E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/2416-38-0x0000000010000000-0x00000000104EB000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2416-37-0x0000000000400000-0x000000000099E000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2416-41-0x0000000002C10000-0x0000000002D10000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2416-51-0x0000000010000000-0x00000000104EB000-memory.dmp

    Filesize

    4.9MB

    Download