Overview

overview

4

Static

static

3

7adb8f33f2...01.exe

windows7-x64

4

7adb8f33f2...01.exe

windows10-2004-x64

4

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2024, 17:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    7adb8f33f2aa1621e800f75c1d863501.exe

  • Size

    1.7MB

  • MD5

    7adb8f33f2aa1621e800f75c1d863501

  • SHA1

    28ac3827e157eb9d2cfbd3ca4007d4127760b1d9

  • SHA256

    32b80aeaf6ad991bf6ed1c7a39de3e1be5dc7dc68c7f8fa9b767c818b0772728

  • SHA512

    79a96841ba5eb8a1a78b7e09b3971a9144c99596944f8541015dd72cf3e6f52d22847129bbf1686c3fba4fa20bf62a305be8012244df2f992257908c46ee77c2

  • SSDEEP

    49152:gPOO2W98azqE57juUbBi0c6zPOzP0zH5m:EO498az17iyBi0c6zPOzP0zH5m

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 3 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7adb8f33f2aa1621e800f75c1d863501.exe
    "C:\Users\Admin\AppData\Local\Temp\7adb8f33f2aa1621e800f75c1d863501.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im QQ.exe /t
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im QQ.exe /t
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2632
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im qqdat.exe /t
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im qqdat.exe /t
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2720
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im QQ .exe /t
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im QQ .exe /t
        3⤵
        • Kills process with taskkill
        PID:1204
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    PID:2684

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\mytupian.jpg
          Filesize

          38KB

          MD5

          1708f272a85e93683435b35afdb1f424

          SHA1

          ebc17fa856c1ff2a7024a0b58b27e48d0498a1d9

          SHA256

          cfe305297ca4fdef233d9baf0524c375046f5c250b8729673290195821d3eb7c

          SHA512

          7eb6a9c21360b0f3ab7e5cd61a9942f70502ba0523aecb710a4262a73d3318d4a8b05c7cff17ab7362880f6dc61b59832b98f94ff0b14dfeb89d5658cfcf0360

          Download Submit

        • memory/624-1-0x00000000032D0000-0x00000000032D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2684-2-0x0000000000160000-0x0000000000162000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2684-3-0x00000000001E0000-0x00000000001E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2684-5-0x00000000001E0000-0x00000000001E1000-memory.dmp

          Filesize

          4KB

          Download