Overview

overview

10

Static

static

3

765e7c536a...54.exe

windows7-x64

10

765e7c536a...54.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    63s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-01-2024 04:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    765e7c536aaca5b29228227b7e4c0c54.exe

  • Size

    257KB

  • MD5

    765e7c536aaca5b29228227b7e4c0c54

  • SHA1

    d4aac6b46ae174d4adff8c114ab4eb6f957f2ce8

  • SHA256

    bcde1a1b358288bda4eeb85088703c509df57719c60b5417d4c1c56bdc631d24

  • SHA512

    580318010e0f98419eea5a40d11d933280bb10a05d918edd331b57b5fd054b1141465b8c1ab3dfba99d633416496f0ec248398156d38f297ca1ea5a411848efa

  • SSDEEP

    6144:SNCMjUidDzOW8qGt8WP9Itvy5UnByKtIr89VhsKCAArs5Jn7u:SkMjFOW8q6JVItvtnB4rWhsKCAArs5JK

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Unexpected DNS network traffic destination 5 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:340
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies WinLogon for persistence
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\765e7c536aaca5b29228227b7e4c0c54.exe
      "C:\Users\Admin\AppData\Local\Temp\765e7c536aaca5b29228227b7e4c0c54.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2288
      • C:\Users\Admin\AppData\Local\a98ee895\X
        *0*28*43a04d09*69.64.52.10:53
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2664
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Deletes itself
        PID:2936
  • C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    1⤵
      PID:2360
    • C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      1⤵
        PID:1620

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Winlogon Helper DLL

      1
      T1547.004

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Winlogon Helper DLL

      1
      T1547.004

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\a98ee895\X
        Filesize

        38KB

        MD5

        72de2dadaf875e2fd7614e100419033c

        SHA1

        5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

        SHA256

        c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

        SHA512

        e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

        Download Submit
      • \Windows\System32\consrv.dll
        Filesize

        29KB

        MD5

        1149c1bd71248a9d170e4568fb08df30

        SHA1

        6f77f183d65709901f476c5d6eebaed060a495f9

        SHA256

        c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1

        SHA512

        9e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459

        Download Submit
      • \systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
        Filesize

        2KB

        MD5

        840290827ac3652b26105649df454770

        SHA1

        3fb27e2a4cf094e56cd0a111ea85a753ad8ef27a

        SHA256

        cfba1f8ed24d4cbae51e14a582b03b950d346292809f90c038e2446e25ce662a

        SHA512

        2bb6fe7a370c37b1f4c54d4a375069ccd2621506045335e1f9c47f6f4d39495f17af83e1ee8f84dd3b2ee7f7d6415c15cbb7b8325cd4e20832bb42d0d796087c

        Download Submit
      • memory/340-27-0x0000000000E40000-0x0000000000E4B000-memory.dmp
        Filesize

        44KB

        Download
      • memory/340-43-0x0000000002500000-0x0000000002502000-memory.dmp
        Filesize

        8KB

        Download
      • memory/340-17-0x0000000000E40000-0x0000000000E4B000-memory.dmp
        Filesize

        44KB

        Download
      • memory/340-26-0x0000000002500000-0x0000000002502000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1196-3-0x0000000002510000-0x0000000002516000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1196-12-0x0000000002500000-0x0000000002502000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1196-36-0x0000000002530000-0x000000000253B000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1196-32-0x0000000002530000-0x000000000253B000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1196-28-0x0000000002530000-0x000000000253B000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1196-38-0x0000000000E40000-0x0000000000E4B000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1196-39-0x0000000002540000-0x000000000254B000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1196-37-0x0000000002540000-0x000000000254B000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1196-7-0x0000000002510000-0x0000000002516000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1196-11-0x0000000002510000-0x0000000002516000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1196-44-0x0000000000E40000-0x0000000000E4B000-memory.dmp
        Filesize

        44KB

        Download
      • memory/2288-1-0x0000000030670000-0x00000000306C2000-memory.dmp
        Filesize

        328KB

        Download
      • memory/2288-42-0x0000000030670000-0x00000000306C2000-memory.dmp
        Filesize

        328KB

        Download
      • memory/2288-41-0x0000000000410000-0x0000000000510000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2288-40-0x0000000030670000-0x00000000306C2000-memory.dmp
        Filesize

        328KB

        Download
      • memory/2288-2-0x0000000000410000-0x0000000000510000-memory.dmp
        Filesize

        1024KB

        Download