Overview

overview

8

Static

static

3

714862e0e5...c0.exe

windows7-x64

8

714862e0e5...c0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2024, 03:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    714862e0e5b2ef085be51cf2f9215dc0.exe

  • Size

    1.4MB

  • MD5

    714862e0e5b2ef085be51cf2f9215dc0

  • SHA1

    b8d54bfb1396a884d45223c88781964357b644e6

  • SHA256

    2eb1bc33cb108109297532ea7420c342205930fb4fbf39f6c54a135d46ee6c4a

  • SHA512

    3dbe7da97b732498eb84e5fec1254ba51d138056994c7fcccfe9e831048658112f2baa05a70e1af39475f36fcf26355bc252b995ac7e6cc883ccc7c99844d59f

  • SSDEEP

    24576:kkLj64BUIpE0i1JD0L4Q8es8MH/Fv7MXwbJ4/nkNnGtgjV7E9Lfc2nsBf6g644Aj:pdpEpDycesFzLJ4/kyYQ9Lc2fbArn

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\714862e0e5b2ef085be51cf2f9215dc0.exe
    "C:\Users\Admin\AppData\Local\Temp\714862e0e5b2ef085be51cf2f9215dc0.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Users\Admin\AppData\Local\Temp\714862e0e5b2ef085be51cf2f9215dc0.exeSz‰†
      2⤵
      • Modifies Windows Firewall
      PID:3480

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\ponto.DLL
          Filesize

          399B

          MD5

          f0161328b321dfcba81d4516524b2781

          SHA1

          c65bdb62b67f4150f94d75fa64788d8f05b13859

          SHA256

          f37e10ca84be6e476d1164eca5b1d104f5dac890f02f5de701c61b86f19a1eae

          SHA512

          273f3bcd6cf80020ac85227184c05d4c901c07e3782e741ee5b8abb63f89171c632725de68f4b015ca902fec4268eaa1101ab8d9b7f592721e08b94a329ff672

          Download Submit

        • memory/1812-0-0x0000000000400000-0x0000000001242000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/1812-1-0x00000000013F0000-0x00000000013F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1812-2-0x0000000000400000-0x0000000001242000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/1812-3-0x0000000001560000-0x0000000001561000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1812-4-0x0000000005960000-0x0000000005961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1812-7-0x0000000000400000-0x0000000001242000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/1812-8-0x00000000013F0000-0x00000000013F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1812-9-0x0000000001560000-0x0000000001561000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1812-13-0x0000000005960000-0x0000000005961000-memory.dmp

          Filesize

          4KB

          Download