Overview

overview

10

Static

static

3

bce67b4a22...50.exe

windows7-x64

10

bce67b4a22...50.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    09-03-2024 21:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bce67b4a22e1c0c2b292eb0144b22e50.exe

  • Size

    271KB

  • MD5

    bce67b4a22e1c0c2b292eb0144b22e50

  • SHA1

    84d8648001806f07237a5f9cefc413b74b38856c

  • SHA256

    2bae7e7dbc62a5f31973addb4641dc94ba06b0181f35d240a745dbb3bae28610

  • SHA512

    83a58f48524a5d4520ffd67296ed64bc95b4b1f0b17cee97e5920053e0199e12604b8a0fd7022ff5edcf5301b43da63d43b8381c50d1f24c289c9fa644125e0a

  • SSDEEP

    6144:O0vsSRYQsNWZae/vy+C3ppgktHG+s7Osqx3TG:hEgYVnbZbHGPOsqFTG

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Unexpected DNS network traffic destination 5 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:336
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1380
    • C:\Users\Admin\AppData\Local\Temp\bce67b4a22e1c0c2b292eb0144b22e50.exe
      "C:\Users\Admin\AppData\Local\Temp\bce67b4a22e1c0c2b292eb0144b22e50.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Users\Admin\AppData\Local\c1d0fc3f\X
        *0*47*8e51c35e*31.193.3.240:53
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3032
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Deletes itself
        PID:2540
  • C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    1⤵
      PID:2516
    • C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      1⤵
        PID:3020

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\system32\consrv.dll
        Filesize

        29KB

        MD5

        76f2ad6212981964aeea83926e5ffdd7

        SHA1

        8f016ab22ce1338507218f713166c5c169eee65e

        SHA256

        0b2de0f2219abcf8c5bd580b5b46777eb41290bf5d4b4225b4fd65e56cd99e08

        SHA512

        e650275cf11752d12c89aa189270627e54b7b5f55b6f9261aa4e25eafc073374ae9bbae2a380338a81ee07c4aaa0ee3608a45c118fccae1c382f99554b26a91f

        Download Submit

      • \Users\Admin\AppData\Local\c1d0fc3f\X
        Filesize

        38KB

        MD5

        72de2dadaf875e2fd7614e100419033c

        SHA1

        5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

        SHA256

        c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

        SHA512

        e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

        Download Submit

      • \systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
        Filesize

        2KB

        MD5

        7936f8300ff9affef5a0d77d72d5a4f9

        SHA1

        6b33ba78a7f4d3a5cbc066747852e75fa0476685

        SHA256

        d45121e53601695b9220cf4d4254bbb0f39aee0a0801d86abdac88e02612261a

        SHA512

        dca62d990083d9f4e0616a3cb87964add1d66e4a1280ade1a4e8261b22c4129d51e716977e34929e96287e244f4d30b09f304dd9699e4b7903808750fb2ab308

        Download Submit

      • memory/336-18-0x0000000002280000-0x000000000228B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/336-42-0x0000000002DD0000-0x0000000002DD2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/336-28-0x0000000002280000-0x000000000228B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/336-25-0x0000000002DD0000-0x0000000002DD2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1380-27-0x0000000003CB0000-0x0000000003CBB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1380-37-0x0000000003CB0000-0x0000000003CBB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1380-3-0x0000000002DE0000-0x0000000002DE6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1380-11-0x0000000002DE0000-0x0000000002DE6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1380-7-0x0000000002DE0000-0x0000000002DE6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1380-31-0x0000000002DE0000-0x0000000002DE8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1380-33-0x0000000003CB0000-0x0000000003CBB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1380-12-0x0000000002DD0000-0x0000000002DD2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1380-38-0x0000000003CC0000-0x0000000003CCB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1380-39-0x0000000003CC0000-0x0000000003CCB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3060-40-0x0000000030670000-0x00000000306C3000-memory.dmp

        Filesize

        332KB

        Download

      • memory/3060-41-0x00000000004B0000-0x00000000005B0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3060-2-0x00000000004B0000-0x00000000005B0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3060-44-0x0000000030670000-0x00000000306C3000-memory.dmp

        Filesize

        332KB

        Download

      • memory/3060-1-0x0000000030670000-0x00000000306C3000-memory.dmp

        Filesize

        332KB

        Download