Overview

overview

6

Static

static

3

9a6c81270e...8f.exe

windows7-x64

6

9a6c81270e...8f.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    14/02/2024, 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a6c81270e9d4047693fc5703370cc8f.exe

  • Size

    24KB

  • MD5

    9a6c81270e9d4047693fc5703370cc8f

  • SHA1

    6a44e5b71bb308e820927c69a8101722114f11a6

  • SHA256

    553bd8b27964362c6da9d6e943f142612c486aeca99930e2e36a914300319e47

  • SHA512

    95304f46b3ef9484d1ce3d07dd001ee0515daaad4fd7bc28ce1c0a3636a464b5cfe79fdf7cb272a7f2d3317e9c872175ba43ba99d2b0f23500f76c240c5a8b35

  • SSDEEP

    384:E3eVES+/xwGkRKJ5lM61qmTTMVF9/q5/0:bGS+ZfbJ5O8qYoA8

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a6c81270e9d4047693fc5703370cc8f.exe
    "C:\Users\Admin\AppData\Local\Temp\9a6c81270e9d4047693fc5703370cc8f.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c set
        3⤵
          PID:2844
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /all
          3⤵
          • Gathers network information
          PID:2640
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2760
        • C:\Windows\SysWOW64\net.exe
          net start
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start
            4⤵
              PID:2784
          • C:\Windows\SysWOW64\NETSTAT.EXE
            netstat -an
            3⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:2816

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \??\c:\windows\temp\flash.log
        Filesize

        8KB

        MD5

        a03bf0eb4bebd32177d2e96c96abbeeb

        SHA1

        e0966a6fde8123a5cc305eaf33f6f5d7b1430141

        SHA256

        d4bcebda6bb31e4043d236e0a91895ce2a249fb5a4f1f489f7b1004ba605424a

        SHA512

        b1d9be7314127985383626f5e6b1e6ddf67e62eb79c8d1393f973e4f381f4a4ffd38c418b699d3c4b2882b5daa111a6d3ebf4d95a9f70fa91634621a5a52063b

        Download Submit