Overview

overview

7

Static

static

3

994a36321a...07.exe

windows7-x64

7

994a36321a...07.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/02/2024, 11:19

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    994a36321a63f1e49b3a79afa332fa07.exe

  • Size

    10KB

  • MD5

    994a36321a63f1e49b3a79afa332fa07

  • SHA1

    c45250cb0fef51942c981950928d518f88b09421

  • SHA256

    d133dc4fce7e41aadcb99764b6a212aff2d50d1b8c447289582232885a13b97d

  • SHA512

    86a256ea0d9efd9e9acfa6e37f680eb477e2622c2e7e0a7ea4646b4b9b4fe40cb09f731fba5cbbeddd01a9dd838ed7aa119ecf895e4ef94585b7e4c80d8d3c43

  • SSDEEP

    192:Nekfn2UklmxRdn/YL6dqkYTLZk/JDHWYOG372+NGMXkpKQVc5ndzP8D6vmj5:Nrv2Hmx3yoq9mhf17h4MXkXc5ndzPut

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\994a36321a63f1e49b3a79afa332fa07.exe
    "C:\Users\Admin\AppData\Local\Temp\994a36321a63f1e49b3a79afa332fa07.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\SysWOW64\fxmngr.exe
      C:\Windows\system32\fxmngr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\fxmngr.exe > nul
        3⤵
          PID:2948
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\994A36~1.EXE > nul
        2⤵
        • Deletes itself
        PID:2824

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Public\Desktop\Online Security Guide.url
            Filesize

            109B

            MD5

            c4580e9be3994b1fc0ce3514361e0904

            SHA1

            5f40833c03c06a07b783a0a321cc3bae3273e0bd

            SHA256

            a8cf4beb7281287cf1eab1eaf5f06fb1cbe19b0d053c3eaef08be03f05ddff80

            SHA512

            70b1e6431cb71865d6bb5d6f0cb403d5334ffd7f5393340120cb4939318143a80b61c98ca76c646ae4c5503ce8c400f0c674244bbbde95685a6720ba5271cf73

            Download Submit

          • C:\Users\Public\Desktop\Security Troubleshooting.url
            Filesize

            109B

            MD5

            82c6041e6f1e8edaef89150ce7c09e3d

            SHA1

            b1914bb4491357de109f639d031d375f1c3ee3f1

            SHA256

            0f26bd5671f3cbfd0056cc3e44dc3ede7c8d5b0700071f546faf7908a7f0ee64

            SHA512

            67b69b25b6d0fd6c2002f183d0f2d24f8b56464a72356c37a1ce48653dc4d05893332b0054b6a21b2667ecf0d961be0b53bea587013a1e54a01b6799e5a36a76

            Download Submit

          • \Windows\SysWOW64\fxmngr.exe
            Filesize

            2KB

            MD5

            af1444409e57da51b24ddcc141ba86d9

            SHA1

            a43c07c82cc766e418cf8b3bfe1f3a158d3c4977

            SHA256

            f7b7738a55c2c092dd6f6089f82bcb10adf9bfcb36169bad111580b8b48d6bee

            SHA512

            c3ffd1a935ae99185a2929d4021e855094e300f7262ceac7d02dfd805545c4201b266847b9eba6ec519a9d62d66b213e4bec7a3f500b25662dcf092b25c00d58

            Download Submit