Overview

overview

8

Static

static

3

70c81a886c...c9.exe

windows7-x64

8

70c81a886c...c9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    135s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    23-01-2024 22:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70c81a886cca574b5bfee01dbdb8dcc9.exe

  • Size

    35KB

  • MD5

    70c81a886cca574b5bfee01dbdb8dcc9

  • SHA1

    dd7f3e6a038e6415d74e7cd221dc11f21d7b8f62

  • SHA256

    62b5f3d0161b7b936b55277e6676a10e21c9f6037c98cb4206316976f36fca99

  • SHA512

    cfd1a52df06bb8192ebd703f1f315029b94b59eb32372127b98ea72c5c8793390404c8e85a051acfe5280f3608a154342cf224acb383cb5e2fa9fc1f2e2dae3b

  • SSDEEP

    768:J6LiRTtlquXp7pPPuWJknGi0mJcWZSPh1nQMXYKj:ULoTauX9hPuNPPcWoPDnQMXLj

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\70c81a886cca574b5bfee01dbdb8dcc9.exe
    "C:\Users\Admin\AppData\Local\Temp\70c81a886cca574b5bfee01dbdb8dcc9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\system32\ctfmon.exe
        ctfmon.exe
        3⤵
          PID:2228
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default tamaz.duckdns.org 1983 fCOELqyzG
        2⤵
          PID:2240

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1568-0-0x0000000001070000-0x0000000001080000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1568-1-0x0000000073DC0000-0x00000000744AE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1568-3-0x0000000000420000-0x0000000000430000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1568-2-0x0000000004BE0000-0x0000000004C20000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1568-11-0x0000000073DC0000-0x00000000744AE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2240-6-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2240-12-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2240-9-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2240-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2240-5-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2240-4-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2240-14-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2240-7-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2240-15-0x00000000736D0000-0x0000000073DBE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2240-16-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2240-19-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2240-18-0x00000000736D0000-0x0000000073DBE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2244-17-0x0000000004210000-0x0000000004211000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2244-20-0x0000000004210000-0x0000000004211000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2244-24-0x00000000029E0000-0x00000000029F0000-memory.dmp

        Filesize

        64KB

        Download