Resubmissions

05-02-2024 02:02

240205-cgfrragah3 10

04-02-2024 16:44

240204-t84fkagecr 10

Analysis

  • max time kernel
    137s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-02-2024 16:44

General

  • Target

    8fa716e6d698cff761a257134fc0dcbc.exe

  • Size

    244KB

  • MD5

    8fa716e6d698cff761a257134fc0dcbc

  • SHA1

    1cbb32439e7024126f00f371ebddd81ec850110c

  • SHA256

    aa08fb940347c2e06c546e101a2628f13d1f26676b81f97a038296e620fd0e02

  • SHA512

    524639d57e7c16d5a45d316fb540e6e0be8fdea137b53e9f2b58fa02883ed45175efb3d9d6ce722ecfc814656c9cf88418212c516e30e5c4077f5835935e4e63

  • SSDEEP

    6144:dqz/fSW9BPwtfHImpvlhsvMRpSS8chIQQzsDU:ltf9U8vIQvDU

Score
6/10

Malware Config

Signatures

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Program crash 1 IoCs
  • Kills process with taskkill 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fa716e6d698cff761a257134fc0dcbc.exe
    "C:\Users\Admin\AppData\Local\Temp\8fa716e6d698cff761a257134fc0dcbc.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 0 /f && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Windows\SysWOW64\reg.exe
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 0 /f
        3⤵
          PID:1604
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c taskkill /f /im taskmgr.exe /t && exit && EXIT
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3300
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im taskmgr.exe /t
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3164
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cd C:\Users\Admin\AppData\Local\Temp && del blackhacker1298.exe && del upx.exe
        2⤵
          PID:3856
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c taskkill /f /im cmd.exe /t && exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1020
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im cmd.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2716
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c taskkill /f /im taskmgr.exe /t && exit && EXIT
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1732
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im taskmgr.exe /t
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2196
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 0 /f && exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3860
          • C:\Windows\SysWOW64\reg.exe
            reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 0 /f
            3⤵
              PID:908
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c taskkill /f /im taskmgr.exe /t && exit && EXIT
            2⤵
              PID:2548
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im taskmgr.exe /t
                3⤵
                • Kills process with taskkill
                PID:4900
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c taskkill /f /im taskmgr.exe /t && exit && EXIT
              2⤵
                PID:1524
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c taskkill /f /im taskmgr.exe /t && exit && EXIT
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1424
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im taskmgr.exe /t
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1260
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c taskkill /f /im taskmgr.exe /t && exit && EXIT
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1392
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im taskmgr.exe /t
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3748
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2272
                2⤵
                • Program crash
                PID:2080
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2244 -ip 2244
              1⤵
                PID:5060

              Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads