Overview

overview

7

Static

static

3

b6618445df...bc.exe

windows7-x64

7

b6618445df...bc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2024, 03:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b6618445dfeaa1bf57c1d61d4cdf98bc.exe

  • Size

    712KB

  • MD5

    b6618445dfeaa1bf57c1d61d4cdf98bc

  • SHA1

    f24408a4405efd6c0d8046b7fa67b0069d2709b5

  • SHA256

    bd2fc42023cb245d21498c5a80d777ff70ff7999a2d161e16b2e449038432ad8

  • SHA512

    dee741d884297aca174d66ca96c371098132bb324d5040e74be963146f5105c6f34e64ebcaa9c733ead96e78c628ffaebc9f66e257fbd10e8e630bb6a08db94f

  • SSDEEP

    12288:oT32nRMfInKh5UaEBTEdcuKBV72Mq7qh0r2zBJkTw1c2obY7qvgjRt1l0g:832n3C5hqwdpKB12Mq7pKV/ocXx0g

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies data under HKEY_USERS 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6618445dfeaa1bf57c1d61d4cdf98bc.exe
    "C:\Users\Admin\AppData\Local\Temp\b6618445dfeaa1bf57c1d61d4cdf98bc.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\89.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\89.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\uninstal.bat
        3⤵
          PID:2416
    • C:\Windows\Hacker.com.cn.ini
      C:\Windows\Hacker.com.cn.ini
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        2⤵
          PID:2948

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\uninstal.bat
              Filesize

              152B

              MD5

              c799b445928854e743af7cbcffcb51b6

              SHA1

              b46bc3d275c31a7d2f34a8f5b1053c616f588f7c

              SHA256

              dfd028445207bba1f2d410c6d6512c8825708762a4f610d4fa504549f5b6a96f

              SHA512

              3021d2ba62b2d8d14a1be2c469e7ff844ea4abb23770ddb15c59dfefab230ab147e2573a5d99c1f62207e20f03267ce953788ad7651706e5d134dcd7edbc4905

              Download Submit

            • \Users\Admin\AppData\Local\Temp\IXP000.TMP\89.exe
              Filesize

              411KB

              MD5

              92f456b56baf54f813543981847aca06

              SHA1

              62d44ecbb19bd9116fba4d44d1ed9fa4c1c10c03

              SHA256

              75c6a684d53d25ef57ce983d337baf61a7218bfe02a61fb37473d3940dd9b7a9

              SHA512

              fd922413e6aa263babe6ebc33c7f3cd6046cbd5fca3f14eaff71f7d4fa4a5dd272972510d624c34cbf7f355e101eb7988c74941efd1158920ae921b86c127855

              Download Submit

            • memory/1784-32-0x0000000001000000-0x00000000010BE000-memory.dmp

              Filesize

              760KB

              Download

            • memory/1784-1-0x00000000003E0000-0x0000000000430000-memory.dmp

              Filesize

              320KB

              Download

            • memory/1784-2-0x0000000001000000-0x00000000010BE000-memory.dmp

              Filesize

              760KB

              Download

            • memory/1784-12-0x0000000002F00000-0x0000000002FCC000-memory.dmp

              Filesize

              816KB

              Download

            • memory/1784-3-0x0000000002B10000-0x0000000002B13000-memory.dmp

              Filesize

              12KB

              Download

            • memory/1784-33-0x00000000003E0000-0x0000000000430000-memory.dmp

              Filesize

              320KB

              Download

            • memory/1784-0-0x0000000001000000-0x00000000010BE000-memory.dmp

              Filesize

              760KB

              Download

            • memory/2000-16-0x0000000000A60000-0x0000000000B2C000-memory.dmp

              Filesize

              816KB

              Download

            • memory/2000-31-0x0000000000400000-0x00000000004CC000-memory.dmp

              Filesize

              816KB

              Download

            • memory/2000-17-0x0000000000400000-0x00000000004CC000-memory.dmp

              Filesize

              816KB

              Download

            • memory/2556-23-0x00000000001D0000-0x00000000001D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2556-21-0x0000000000400000-0x00000000004CC000-memory.dmp

              Filesize

              816KB

              Download

            • memory/2556-35-0x0000000000400000-0x00000000004CC000-memory.dmp

              Filesize

              816KB

              Download

            • memory/2556-37-0x00000000001D0000-0x00000000001D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2556-40-0x0000000000400000-0x00000000004CC000-memory.dmp

              Filesize

              816KB

              Download