Overview

overview

7

Static

static

3

aa868b27fd...a3.exe

windows7-x64

7

aa868b27fd...a3.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-02-2024 00:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa868b27fdc3c9e2dce5868e4f75c6a3.exe

  • Size

    765KB

  • MD5

    aa868b27fdc3c9e2dce5868e4f75c6a3

  • SHA1

    1ca98056657bb4a871f9468722df94b88c14e3e2

  • SHA256

    505ae0a4f52a7917e6fda8902bbc47ff913c5c74abe3be30f87db9d075a6614a

  • SHA512

    ec7faa23ba717f212d2dddc32bb033a44891d06c56df59476e1ea9bb440b0f08d201a9756b07e52b04cfdbbba4b58ed7717069c8246f55238f8efd7ff4eb135e

  • SSDEEP

    12288:i3eo2TaTVCKnhk1W5A4N/Q8u7MHIVvMxA11lUByFen4veANO2v2LX5MnuWH1TmdJ:k52XKy1W5AcXETdQ4ve0O2vWDRv

Score
7/10
evasiontrojan

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa868b27fdc3c9e2dce5868e4f75c6a3.exe
    "C:\Users\Admin\AppData\Local\Temp\aa868b27fdc3c9e2dce5868e4f75c6a3.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\DELME.BAT
      2⤵
      • Deletes itself
      PID:1656
  • C:\Windows\IEXPLORE.exe
    C:\Windows\IEXPLORE.exe
    1⤵
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\DELME.BAT
    Filesize

    190B

    MD5

    de7030975edf137ceeeca8a4bc440d86

    SHA1

    e55e10f9fe6e4a8210c5881d6dc7b10977ea4bcd

    SHA256

    94bfc4d673aff92d97b592a51d2995301641469fbf3bf22d9caa94af3e58b106

    SHA512

    ed0bbfbdc120db401bc9ab868da5dc73d8873192b27a3ba646ef4521aee0555cc5a1fd9238f66bef890a96e0f584cd3d7e570d2d26f5b182af585eca34c1e468

    Download Submit

  • C:\Windows\IEXPLORE.exe
    Filesize

    765KB

    MD5

    aa868b27fdc3c9e2dce5868e4f75c6a3

    SHA1

    1ca98056657bb4a871f9468722df94b88c14e3e2

    SHA256

    505ae0a4f52a7917e6fda8902bbc47ff913c5c74abe3be30f87db9d075a6614a

    SHA512

    ec7faa23ba717f212d2dddc32bb033a44891d06c56df59476e1ea9bb440b0f08d201a9756b07e52b04cfdbbba4b58ed7717069c8246f55238f8efd7ff4eb135e

    Download Submit

  • memory/2108-0-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2108-7-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/2108-10-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-4-0x0000000000010000-0x00000000000D8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/2928-5-0x0000000000310000-0x0000000000311000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-8-0x0000000000010000-0x00000000000D8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/2928-12-0x0000000000310000-0x0000000000311000-memory.dmp

    Filesize

    4KB

    Download