Overview

overview

10

Static

static

3

b7433dc4de...aa.exe

windows7-x64

10

b7433dc4de...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-03-2024 11:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7433dc4de9676276bba102f171358aa.exe

  • Size

    403KB

  • MD5

    b7433dc4de9676276bba102f171358aa

  • SHA1

    9c9f39850fe3a414651bab6c81b04b4d6d1523f0

  • SHA256

    2a0295f5bab05005fd6e3bf733fcb5e5f153674ad01b8aaf2179e05d8580f3c7

  • SHA512

    64a8e82899891fc809bf68c0c0a6f6d45e8b0dcba2445b77da2b2bc40895b48431aa8572096589450d48a2272200c4b17c0bc9539f5feaa46503cbfd3482b218

  • SSDEEP

    6144:tBZn9oaRZ0RDG1NQv0Q/ldddHBDcuydIe/vgPux34toGwKMTMjexpnr90T:RlRZrNQv13ddH1crdrRxt4MgqrnyT

Score
10/10
persistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7433dc4de9676276bba102f171358aa.exe
    "C:\Users\Admin\AppData\Local\Temp\b7433dc4de9676276bba102f171358aa.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 840
      2⤵
      • Program crash
      PID:2644
    • C:\bG02401AnHmA02401\bG02401AnHmA02401.exe
      "\bG02401AnHmA02401\bG02401AnHmA02401.exe" "C:\Users\Admin\AppData\Local\Temp\b7433dc4de9676276bba102f171358aa.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:5008
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 840
        3⤵
        • Program crash
        PID:4040
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1304 -ip 1304
    1⤵
      PID:3220
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2260,i,3303482231723870786,2954015409682154873,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4068
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5008 -ip 5008
        1⤵
          PID:4760
        • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
          "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
          1⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:3576
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
          • Suspicious use of FindShellTrayWindow
          PID:5044
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
          • Suspicious use of FindShellTrayWindow
          PID:2892
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:4380
          • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
            "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
            1⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of SetWindowsHookEx
            PID:1748
          • C:\Windows\system32\sihost.exe
            sihost.exe
            1⤵
            • Suspicious use of FindShellTrayWindow
            PID:2604
          • C:\Windows\system32\sihost.exe
            sihost.exe
            1⤵
            • Suspicious use of FindShellTrayWindow
            PID:1116
          • C:\Windows\system32\sihost.exe
            sihost.exe
            1⤵
              PID:2696

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Privilege Escalation

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Defense Evasion

            Modify Registry

            2
            T1112

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\bG02401AnHmA02401\bG02401AnHmA02401.exe
              Filesize

              403KB

              MD5

              ef4253e4e5f02525c366ed9ffdcd8ad2

              SHA1

              e7a3115d7e8b53c066627b0e8a94a4852b41a55f

              SHA256

              13d78282302efbd787ebe0b508915862a9e0e51f2e6fa93acf6bc70da365f2c9

              SHA512

              78414311fa645f823e20281ebe879aca7a612157b330c7fe003599fed2a778f07dcb10b2906ffea95ddc3739db36ed0ba912746f83d92e712cc2187a68b40157

              Download Submit
            • memory/1304-0-0x00000000006A0000-0x00000000006A3000-memory.dmp
              Filesize

              12KB

              Download
            • memory/1304-1-0x0000000000400000-0x00000000004CC000-memory.dmp
              Filesize

              816KB

              Download
            • memory/1304-2-0x00000000006C0000-0x00000000006C1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1304-81-0x0000000000400000-0x00000000004CC000-memory.dmp
              Filesize

              816KB

              Download
            • memory/1304-94-0x0000000000400000-0x00000000004CC000-memory.dmp
              Filesize

              816KB

              Download
            • memory/5008-95-0x0000000000400000-0x00000000004CC000-memory.dmp
              Filesize

              816KB

              Download
            • memory/5008-96-0x0000000000690000-0x0000000000691000-memory.dmp
              Filesize

              4KB

              Download
            • memory/5008-178-0x0000000000400000-0x00000000004CC000-memory.dmp
              Filesize

              816KB

              Download