Overview

overview

7

Static

static

3

6cc3eaef50...25.exe

windows7-x64

7

6cc3eaef50...25.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    89s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2024 07:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6cc3eaef50526f145f57541b202c1025.exe

  • Size

    159KB

  • MD5

    6cc3eaef50526f145f57541b202c1025

  • SHA1

    cec8c3bb3d2ca7aacc6918acdafc85456c88e1bf

  • SHA256

    5d91fa0a62e8d79de6b130a8d6f2909e058174699a098802933cc4ff7c6e6c7f

  • SHA512

    03b3fbe32284b2f6c3cf404e5912cdd542c5b106d9c44139d76b7a455ee1c47660ac6e073d1e6d6a0e09588ba933cc32d3f237246eddfa7a6a7be816e69251e0

  • SSDEEP

    3072:GfIsRhQOk55XQWTt06JMZUlLQuqnvyIbtEjofeQrPvH9DRc6z+QN:GfIs85X/TqZsLQuqnVOrQrXfc6K

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Unexpected DNS network traffic destination 9 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1260
    • C:\Users\Admin\AppData\Local\Temp\6cc3eaef50526f145f57541b202c1025.exe
      "C:\Users\Admin\AppData\Local\Temp\6cc3eaef50526f145f57541b202c1025.exe"
      2⤵
      • Registers COM server for autorun
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Deletes itself
        PID:2660
  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\{1b63f7c3-8bbb-5fac-e4e7-fa0e6991b570}\n
    Filesize

    42KB

    MD5

    bfa0c9ec67cd0f1b2dabfc7777aae294

    SHA1

    c15a4686bda91546e4c3abba58530423c40da3dc

    SHA256

    f3a8ac1721abb9068c5c281dafeaebdf3a66f96954c9e882ef71dee9c44bc585

    SHA512

    e2e7b989e17dcf2f0c2b93e53671a6f34230b31b0daa152fd9ec84aa14055b1350960d5dbc7da02a03d4eda7c68f9082f6c8be053ec56c0bed5b2bd0ef38556f

    Download Submit
  • \systemroot\Installer\{1b63f7c3-8bbb-5fac-e4e7-fa0e6991b570}\@
    Filesize

    2KB

    MD5

    6b1b5fcf8326145632af4ba4ebc2b1f7

    SHA1

    68ae11b573fe79bb20643ee6f536e0abd116b930

    SHA256

    93ade3c02b1d9d6d254ebd8fd2f5e682738360229940dcbe7f9dbf6efcb0a47f

    SHA512

    1611646bef0c21ed2e132a6d7048ab7048ca48b9b10a3faba865917ab5c45c67125513d3e0c2fac670b8eea8153033b491a8078b8853a627fa9b9d3e5419273e

    Download Submit
  • memory/464-26-0x00000000000F0000-0x00000000000F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/464-15-0x00000000000F0000-0x00000000000F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1260-24-0x0000000001D50000-0x0000000001D51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1260-23-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1260-6-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1260-10-0x0000000001D50000-0x0000000001D51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2028-4-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2028-5-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2028-0-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2028-20-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2028-21-0x00000000001C0000-0x00000000001ED000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2028-3-0x00000000001C0000-0x00000000001ED000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2028-2-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2028-25-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2028-1-0x00000000001B0000-0x00000000001B1000-memory.dmp
    Filesize

    4KB

    Download