Overview

overview

7

Static

static

3

7e2eb1874a...36.exe

windows7-x64

7

7e2eb1874a...36.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28/01/2024, 22:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    7e2eb1874ae5daff2b6879b6d3b31636.exe

  • Size

    687KB

  • MD5

    7e2eb1874ae5daff2b6879b6d3b31636

  • SHA1

    b754f57efcbae9a88f0c71371a8a6b8b1cd78576

  • SHA256

    38c6c9c469e7a55ac0a690a4eec99acf1c45c43c2fb8c286253db61078b12e55

  • SHA512

    35534e27164809f4134867b5a52218585647ae4ea4590426ab962e59e779af026310500101db2986e589e1c9afa7fbe289d66e915f6d32f1707c4738770cb6e3

  • SSDEEP

    12288:G+d+rYD2zFExroFBiGeOWCTBf9xW7qF3Z4mxx05RG9xq/XG8pFwm0IE:bd+rYgExrMMGeIFQmX054/qPxCmZE

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e2eb1874ae5daff2b6879b6d3b31636.exe
    "C:\Users\Admin\AppData\Local\Temp\7e2eb1874ae5daff2b6879b6d3b31636.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:604
  • C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    1⤵
      PID:2196
    • C:\Windows\Hacker.com.cn.exe
      C:\Windows\Hacker.com.cn.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1456

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
            Filesize

            123KB

            MD5

            6e7fba5410000148274d3b77cfca36d1

            SHA1

            11cff37107af3d31c791dacd8cb2e244b620bcbc

            SHA256

            97b9dcb422b80eea636ac0dc1616eaed8d86351a752094788d68646dcf2ce564

            SHA512

            982e5ed3ae5aa07bd949388b27692a529584b03d56389d67ec1641424a7dd5c82f785c5ec98e9da54ae52cd552cd50548965398441c72e5850c8dbf5b1354938

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
            Filesize

            147KB

            MD5

            d14a878c1abf1b5716c96b86a291ba1d

            SHA1

            5c5aadcadc923f4355b764b9d542f251d85ea407

            SHA256

            31fc59ab7629d28fd1b3cab68251441c93c0df599e878bcf59e0fb644a5d8d99

            SHA512

            eef5df6717a4a3252082ef9f38914f80b17b446c9e89ab9a965ce4251e1e62a465a99b9fbf11a51a1a2b5bff3f25b6219df9221723a209bffc12b2353d65e6a4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
            Filesize

            72KB

            MD5

            29ea68536abe342ca9c362913b6d002a

            SHA1

            644b8ce08162650d582b0382189636cf6a8434d8

            SHA256

            a22c5760283bd5aa1b453cec80e8a757a7a6590685962a0f41cf6de34d73d0d7

            SHA512

            96cbeaab15928e0fd0fc5e81da12a24c6d5e47d0e65015a916840effff88f65ffb2fbc2de7313804e4c32f98720a1bfe307bbafa14f89684b8a53c04e8a08a3e

            Download Submit

          • C:\Windows\Hacker.com.cn.exe
            Filesize

            74KB

            MD5

            1addcbd926575f0774a40d7ea4220de6

            SHA1

            f738f533dfd3994c8e378a8fc6c9b9f991ba5646

            SHA256

            4d80145d7f8df271c289d56b3a2e9982907de1938a9e1fc57cf297421080a826

            SHA512

            3473139b34e488bc69a5da1b2e765f1d8d1fb9f233b6aac246bb6ca8ad343b4db030e8d0e447e05d91a198554de5f0509c8a362f44804b1d0408e1c241242d11

            Download Submit

          • C:\Windows\Hacker.com.cn.exe
            Filesize

            232KB

            MD5

            47dceca13a63a57be71e9d5410565d7b

            SHA1

            05857133564d1a18fe3985eafb6a642fdb932732

            SHA256

            ef2cf42ebb4021924af88b379b99c90520945eeb5c160e808b1e9eea72ac4a47

            SHA512

            53cabaeb8a6003d8ef9a901daa9b9dd0093b00e577348f3ed6cc9f6b0d641b47be6fc03738c7c96ceae2836e7e2c60c4172c0e6229c0afb9bd68c7db7b10eefe

            Download Submit

          • \Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
            Filesize

            165KB

            MD5

            c49425493e4b06ed410fa1b8d128b05c

            SHA1

            63837cd7443e3febf2a7f9c9a2c89506ad8c5063

            SHA256

            460a7ca33620f9e18ca4c83522223ac6429df227aca17272722a06cfd2be0522

            SHA512

            8612b5713c1f1594155a1ac9fef1bad6648fb044e5319f9d4e170f61e2749382f9e617c3816bc44de43e4279b6c5f3b84a79d2a744dce4f45753a91cf0c89097

            Download Submit

          • \Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
            Filesize

            185KB

            MD5

            aaab39b03176b176be3ca75b2ef73229

            SHA1

            39777f96bb0450c672505c61daf6b7d450231f70

            SHA256

            fecaac7ef5844105e527118099b4fbc2986a95a1dea37ceed8644aa6c5831de6

            SHA512

            f98ab0c97f8d51789585ae58a819e492b0339f8544939780e2fc21e025362c4882a9b5f9fc2734086f41f26c99631094ace2c76919a7bb8f10b47927e56a6876

            Download Submit

          • memory/604-40-0x0000000000400000-0x00000000004CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/604-37-0x00000000003F0000-0x00000000003F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1456-48-0x0000000000400000-0x00000000004CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1456-44-0x0000000000400000-0x00000000004CE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/1456-42-0x00000000002E0000-0x00000000002E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-13-0x0000000000970000-0x0000000000971000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-6-0x0000000000300000-0x0000000000301000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-17-0x0000000000D00000-0x0000000000D01000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-16-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-15-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-14-0x0000000000960000-0x0000000000961000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-1-0x00000000006B0000-0x0000000000704000-memory.dmp

            Filesize

            336KB

            Download

          • memory/1888-12-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-11-0x0000000000990000-0x0000000000991000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-10-0x00000000009B0000-0x00000000009B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-9-0x0000000000940000-0x0000000000941000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-8-0x0000000000690000-0x0000000000691000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-7-0x00000000006A0000-0x00000000006A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-18-0x0000000000980000-0x0000000000981000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-5-0x0000000000310000-0x0000000000311000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-4-0x0000000000810000-0x0000000000811000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-3-0x0000000000660000-0x0000000000661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-2-0x0000000000680000-0x0000000000681000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-19-0x0000000000D70000-0x0000000000D71000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-43-0x00000000006B0000-0x0000000000704000-memory.dmp

            Filesize

            336KB

            Download

          • memory/1888-20-0x0000000000D50000-0x0000000000D51000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-41-0x0000000001000000-0x0000000001110000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1888-21-0x0000000000D30000-0x0000000000D31000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-22-0x0000000000D20000-0x0000000000D21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-0-0x0000000001000000-0x0000000001110000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1888-23-0x0000000000D90000-0x0000000000D91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1888-24-0x0000000000D80000-0x0000000000D81000-memory.dmp

            Filesize

            4KB

            Download