Overview

overview

8

Static

static

3

59eecd91d6...8a.exe

windows7-x64

8

59eecd91d6...8a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-01-2024 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59eecd91d6f5be7d23d9ad5eab1a788a.exe

  • Size

    28KB

  • MD5

    59eecd91d6f5be7d23d9ad5eab1a788a

  • SHA1

    e282855f7f0226e9bc49c726b13e9a8f4dfbc5e3

  • SHA256

    b4eed01f69422039d0f550f9edac95a1687b7a21b01879a0dfbc3b873e61642e

  • SHA512

    d09e11e25aef1d8e477376cd9562e5b25d70c6c036ca6440757b1e93a594eb65e747c295bc9d14ead5f52a58c997f63f8ce22b8da9c50aeb9f67f1ff57f97a7c

  • SSDEEP

    384:g9c/lju92SNHNjctHds2HUWT6VI/x/DryPS:g9kli9jNOtH70/VCLWP

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\59eecd91d6f5be7d23d9ad5eab1a788a.exe
    "C:\Users\Admin\AppData\Local\Temp\59eecd91d6f5be7d23d9ad5eab1a788a.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Dx.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Windows\SysWOW64\attrib.exe
        attrib +r +s +h c:\woKuto.exe
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:4768
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v UUcallo /t REG_SZ /d c:\woKuto.exe /f
        3⤵
        • Adds Run key to start application
        PID:4788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Dx.bat
    Filesize

    243B

    MD5

    5c1d779647a77ed9c6063e158e1ce2d6

    SHA1

    f86b01604b602d607c3a8ceaf663137fe2df1131

    SHA256

    1d40be51b63dbab25bdb8f1bad04a62f706c0ffdd430469b9b3363865e52818d

    SHA512

    24b444547300ca745a4334002ff6247afa3f2835c1781b3ea8f4abe0c6160ccaafe3264a902d6da9625b4f0fcef3c75f069517c993d7754084894e86edc11fd7

    Download Submit

  • C:\woKuto.exe
    Filesize

    28KB

    MD5

    59eecd91d6f5be7d23d9ad5eab1a788a

    SHA1

    e282855f7f0226e9bc49c726b13e9a8f4dfbc5e3

    SHA256

    b4eed01f69422039d0f550f9edac95a1687b7a21b01879a0dfbc3b873e61642e

    SHA512

    d09e11e25aef1d8e477376cd9562e5b25d70c6c036ca6440757b1e93a594eb65e747c295bc9d14ead5f52a58c997f63f8ce22b8da9c50aeb9f67f1ff57f97a7c

    Download Submit