Overview

overview

7

Static

static

3

87dda89cfa...ba.exe

windows7-x64

7

87dda89cfa...ba.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    01/02/2024, 22:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    87dda89cfa280497c6cff544dcd4c4ba.exe

  • Size

    688KB

  • MD5

    87dda89cfa280497c6cff544dcd4c4ba

  • SHA1

    f915d276d3b04bb3d875b7e795423a6100108111

  • SHA256

    b3b684904a61c87001ff0ff19ddbfd07410d4d224097c9cfa30feba91f7a0eb0

  • SHA512

    0abb050c441a2b74c1b95ae3e09e10d9f0505693bef52987a7e8196c6e6b405b42666e1b85f77bc3f058560a4ae23f0f6c39612c21daac6c793870706d8da2cb

  • SSDEEP

    12288:xAQxS1qPBfvhFzMiAplPozy/SZoKF3Z4mxxKoEtlK+kt9T2M8:ZSUJvhFAdo2/yoKQmXDG9

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87dda89cfa280497c6cff544dcd4c4ba.exe
    "C:\Users\Admin\AppData\Local\Temp\87dda89cfa280497c6cff544dcd4c4ba.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\system.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\system.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\uninstal.bat
        3⤵
          PID:2700
    • C:\Windows\360tray.exe
      C:\Windows\360tray.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Program Files\Internet ExploreR\iexplore.exe
        "C:\Program Files\Internet ExploreR\iexplore.exe"
        2⤵
          PID:2560

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\uninstal.bat
        Filesize

        160B

        MD5

        39e2f5f2febf13c001df320853c06bbc

        SHA1

        c500b67ca755a97060398f50491f3217e216c9a3

        SHA256

        fb76a588ad019882a45aeed8dbe5f82223797aa923b02a19110c4f55f78586a6

        SHA512

        94890ab2edbcd884d6dad6d36543e6497e3e8146b950f484d97f3f4786da16169385d79a293bb2f92621ac9cfa9dbf149ad6c96dce8e2430b58d2d361b940c8b

        Download Submit

      • \Users\Admin\AppData\Local\Temp\IXP000.TMP\system.exe
        Filesize

        796KB

        MD5

        e7a194114b7174728130dafb2b61491a

        SHA1

        51f665f653211863eaeb140cd25a37c47ba83f22

        SHA256

        b9985efd415e2bd658eddf5e742c94ad8cc3470921fe3ca0a4a8bef061cc54f0

        SHA512

        64820e7607f42202f5f670b223ca80e24322dc67dffd61e18e3946ad3197ace30d891b79ff0c866b8e84c625df2844efe48c178586bdec25d4ed06f8452880bf

        Download Submit

      • memory/1656-47-0x0000000000400000-0x00000000004D1200-memory.dmp

        Filesize

        836KB

        Download

      • memory/1656-41-0x0000000000400000-0x00000000004D1200-memory.dmp

        Filesize

        836KB

        Download

      • memory/1656-40-0x00000000002E0000-0x00000000002E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1656-38-0x0000000000400000-0x00000000004D1200-memory.dmp

        Filesize

        836KB

        Download

      • memory/1656-25-0x00000000002E0000-0x00000000002E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2992-34-0x0000000000400000-0x00000000004D1200-memory.dmp

        Filesize

        836KB

        Download

      • memory/2992-20-0x00000000001F0000-0x00000000001F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3044-5-0x0000000000320000-0x0000000000321000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3044-10-0x00000000009B0000-0x00000000009B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3044-1-0x0000000000250000-0x00000000002A4000-memory.dmp

        Filesize

        336KB

        Download

      • memory/3044-2-0x0000000000990000-0x0000000000991000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3044-3-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3044-4-0x0000000000850000-0x0000000000851000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3044-0-0x0000000001000000-0x000000000110F000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3044-35-0x0000000001000000-0x000000000110F000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3044-36-0x0000000000250000-0x00000000002A4000-memory.dmp

        Filesize

        336KB

        Download

      • memory/3044-6-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3044-7-0x00000000009C0000-0x00000000009C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3044-8-0x0000000000D00000-0x0000000000D01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3044-9-0x0000000000860000-0x0000000000861000-memory.dmp

        Filesize

        4KB

        Download