Overview

overview

7

Static

static

3

file.exe

windows7-x64

7

file.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    15-01-2024 12:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    9.4MB

  • MD5

    db3edf03a8a2c8e96fe2d2deaaec76ff

  • SHA1

    2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1

  • SHA256

    a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

  • SHA512

    121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135

  • SSDEEP

    98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2912
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\system32\schtasks.exe
      schtasks /delete /TN "Timer"
      2⤵
        PID:2536
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        2⤵
        • Creates scheduled task(s)
        PID:528
      • C:\Windows\System\svchost.exe
        "C:\Windows\System\svchost.exe" formal
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:952
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cab2696.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar26E7.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      ed9845184c996894e3a708c6887ba4e0

      SHA1

      17e8baa1db4adc4cba8014b163a38d11b6d1ef2e

      SHA256

      ea26cb02dac881a8e1253ce2bc938cc5b6a47ccebe873be91165df9c9aac6808

      SHA512

      4e167b82f7b3e425ca13de3c218f7c23c71a574d48e409b7d11eac0a67c5031207f80d4f97fe871838109c226f88e6074015b6ff13447aff6306730b482c37cf

      Download Submit

    • C:\Windows\system\svchost.exe
      Filesize

      8.2MB

      MD5

      e8691773240af15c89eb540a9285c686

      SHA1

      4c56da2d1bdb64af4f58412e696d7778981efbcd

      SHA256

      0e5c7ef2582d8f3b2ad5d3406a2c71bb3f8541962d9ae8750bf958b633dc5c10

      SHA512

      4c0fbfc67b5e2fe3d1d59f519af66154b2955d0b71a0e5b6179f513541d58c209578e31abcdb0a3a43a70383bce290a5a494e1a5caa7f5581d902b33ac8ed05a

      Download Submit

    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit

    • \Windows\system\svchost.exe
      Filesize

      5.6MB

      MD5

      5c3988c154fdbcb09668299370c29fc0

      SHA1

      14761d553ec46455cce77f2e1d5752aad0cc2642

      SHA256

      f8e7ee0bc9a50650d1a2ec74aaf1009f73d6925dcde72a078917ee4fd9eb7934

      SHA512

      8aa2a94643ee051c5f1f0bc8c7de8d2929551d568c103889c1a06cdcb5d49cfedf79e11bb4ecb42b726860879633adc0d6a8239166ea7c07916a90e9e6325dce

      Download Submit

    • \Windows\system\svchost.exe
      Filesize

      8.0MB

      MD5

      6a48e355f3934b9d33b775a2c9367cff

      SHA1

      8dce1f4d43efdaa1ce214076f0e772f8dbb7eef4

      SHA256

      29bf653db7781ab8eeddae69ad31da2c4d1ba04f1eb0a031f2225311dec41e6b

      SHA512

      0865412cb3aabe142424087ab9a4605ca1a01cda833122095b02d3482722935e517347532a287fcd445de08312bb2ebae6cb596ea2048fa7b820f5d1bac1c94b

      Download Submit

    • memory/952-53-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/952-56-0x00000000024F0000-0x0000000002570000-memory.dmp

      Filesize

      512KB

      Download

    • memory/952-54-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/952-55-0x0000000002620000-0x0000000002628000-memory.dmp

      Filesize

      32KB

      Download

    • memory/952-65-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/952-62-0x00000000024F0000-0x0000000002570000-memory.dmp

      Filesize

      512KB

      Download

    • memory/952-61-0x00000000024F0000-0x0000000002570000-memory.dmp

      Filesize

      512KB

      Download

    • memory/952-57-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1208-0-0x0000000140000000-0x0000000140A64400-memory.dmp

      Filesize

      10.4MB

      Download

    • memory/1208-1-0x0000000140000000-0x0000000140A64400-memory.dmp

      Filesize

      10.4MB

      Download

    • memory/1208-38-0x0000000140000000-0x0000000140A64400-memory.dmp

      Filesize

      10.4MB

      Download

    • memory/1208-2-0x0000000140000000-0x0000000140A64400-memory.dmp

      Filesize

      10.4MB

      Download

    • memory/1208-3-0x0000000140000000-0x0000000140A64400-memory.dmp

      Filesize

      10.4MB

      Download

    • memory/1208-41-0x0000000140000000-0x0000000140A64400-memory.dmp

      Filesize

      10.4MB

      Download

    • memory/1208-4-0x0000000140000000-0x0000000140A64400-memory.dmp

      Filesize

      10.4MB

      Download

    • memory/1640-59-0x0000000002A60000-0x0000000002AE0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1640-58-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1640-64-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1640-63-0x0000000002A60000-0x0000000002AE0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1640-60-0x0000000002A60000-0x0000000002AE0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2840-19-0x00000000026D0000-0x0000000002750000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2840-21-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2840-24-0x00000000026D0000-0x0000000002750000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2840-14-0x000000001B450000-0x000000001B732000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2840-26-0x00000000026D4000-0x00000000026D7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2840-22-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2912-25-0x000000000297B000-0x00000000029E2000-memory.dmp

      Filesize

      412KB

      Download

    • memory/2912-23-0x0000000002974000-0x0000000002977000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2912-16-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2912-15-0x00000000023E0000-0x00000000023E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2912-20-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2912-18-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2912-17-0x0000000002970000-0x00000000029F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2952-40-0x0000000140000000-0x0000000140A64400-memory.dmp

      Filesize

      10.4MB

      Download

    • memory/2952-66-0x0000000180000000-0x000000018070E000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/2952-94-0x0000000140000000-0x0000000140A64400-memory.dmp

      Filesize

      10.4MB

      Download