Overview

overview

10

Static

static

3

98ee488607...3a.exe

windows7-x64

8

98ee488607...3a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13-02-2024 08:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    98ee48860712d3c06c3a4aa31c14de3a.exe

  • Size

    69KB

  • MD5

    98ee48860712d3c06c3a4aa31c14de3a

  • SHA1

    f36cb20f9663051d1eacfe0543e5449f958b7587

  • SHA256

    60bf7b23526f36710f4ef589273d92cc21d45a996c09af9a4be52368c3233af6

  • SHA512

    49e2982dc220a6fcde0782f7b3637972533b8c8e5821a685bfda65dd4df5d85e6dc11d725ecc7388c9bb81dddea3dac82ee9064cd276d3cdfa7a50c5be9a19a2

  • SSDEEP

    1536:kMbuxfmDShn8doSSW02UAll71xCJ6Kyvd656jpI9MtUL+mAd7A2DDf27Gz:kMbupmOWHSW02U+xCJ/yvE4anin62DDB

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\98ee48860712d3c06c3a4aa31c14de3a.exe
    "C:\Users\Admin\AppData\Local\Temp\98ee48860712d3c06c3a4aa31c14de3a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Users\Admin\AppData\Local\Temp\tmp5B59.tmp
      "C:\Users\Admin\AppData\Local\Temp\tmp5B59.tmp"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\SysWOW64\runas.exe
        runas /trustlevel:0x20000 C:\Windows\explorer.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1860
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe
          4⤵
          • Modifies Installed Components in the registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2352
          • C:\Windows\system32\ctfmon.exe
            ctfmon.exe
            5⤵
              PID:2788

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp5B59.tmp
      Filesize

      60KB

      MD5

      ff672b6d51815ef9c86e163bfd23f1a5

      SHA1

      e4a08257258bc59d67992d762d60ea34f08a6b9d

      SHA256

      5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace

      SHA512

      d957e4e27e6eb10de02d032fbba52918dc9aa67c350b593463e9756fc8c91208a2065d35f13585b60414df5e19ed5f68aadbcb69630fc02b9a0201761064fd57

      Download Submit
    • memory/2252-0-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2252-1-0x0000000000B00000-0x0000000000B80000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2252-9-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2276-10-0x0000000074A20000-0x0000000074FCB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2276-12-0x0000000000AE0000-0x0000000000B20000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2276-11-0x0000000074A20000-0x0000000074FCB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2276-15-0x0000000074A20000-0x0000000074FCB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2276-16-0x0000000000AE0000-0x0000000000B20000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2352-14-0x0000000003FE0000-0x0000000003FE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2352-17-0x0000000003FE0000-0x0000000003FE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2352-21-0x00000000025B0000-0x00000000025C0000-memory.dmp
      Filesize

      64KB

      Download