Overview

overview

10

Static

static

3

d4efd4c8c0...69.exe

windows7-x64

10

d4efd4c8c0...69.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • submitted
    19-03-2024 02:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4efd4c8c02bf1c7130efdcf474f1b69.exe

  • Size

    899KB

  • MD5

    d4efd4c8c02bf1c7130efdcf474f1b69

  • SHA1

    3f17c11369338e6767fe0dade8a0f9dbc7ddac27

  • SHA256

    c7e1a1b08de4b6e01a17e4c4d5795964dae98aadba3fdd3ff5da33fc5adae7f6

  • SHA512

    9e8da8bd66fb3771523c98eb58ed343f3c360e67cb3978a332c176c5e8e4717a6a0ecb391118812b8d76be92637c88d3ffc10c82769cf96a1d1d5b3abf4f8e78

  • SSDEEP

    24576:dLJEU63Vi1wZDIzR2D4M0Q2VVFByf9djCf:xJJGZDn46abB4dO

Score
10/10
discoveryexecutionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4efd4c8c02bf1c7130efdcf474f1b69.exe
    "C:\Users\Admin\AppData\Local\Temp\d4efd4c8c02bf1c7130efdcf474f1b69.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Lhzbhsndksibtmsrzld.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\chromes.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2256
    • C:\Users\Admin\AppData\Local\Temp\d4efd4c8c02bf1c7130efdcf474f1b69.exe
      C:\Users\Admin\AppData\Local\Temp\d4efd4c8c02bf1c7130efdcf474f1b69.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 224
        3⤵
        • Program crash
        PID:2468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_Lhzbhsndksibtmsrzld.vbs
    Filesize

    137B

    MD5

    70ba873f322cec5326c8aa85dbfb35fe

    SHA1

    367e6c1396484088760d363ac032ecb56b355282

    SHA256

    92dd75ce4d861fc5096b5e77fa6ce4e1954b2369a4e29cebd541a8700d5becdf

    SHA512

    5cdd8fbe65a0c99157d187579ef1e1881d772f276ca085e5a3961f9e01c3f6d27e555b855ff25c8b6a231514383828f6599cb389c7ad5692cf9ab8bbda2421d9

    Download Submit

  • memory/1524-0-0x0000000000C60000-0x0000000000D46000-memory.dmp

    Filesize

    920KB

    Download

  • memory/1524-1-0x0000000074C00000-0x00000000752EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1524-2-0x00000000042C0000-0x0000000004300000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1524-3-0x00000000042C0000-0x0000000004300000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1524-4-0x00000000042C0000-0x0000000004300000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1524-5-0x0000000074C00000-0x00000000752EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1524-6-0x00000000042C0000-0x0000000004300000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1524-7-0x00000000042C0000-0x0000000004300000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1524-8-0x00000000042C0000-0x0000000004300000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1524-9-0x0000000007F40000-0x0000000007FDE000-memory.dmp

    Filesize

    632KB

    Download

  • memory/1524-10-0x0000000005FC0000-0x000000000603A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1524-11-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-12-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-14-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-16-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-18-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-20-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-22-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-24-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-26-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-28-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-30-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-32-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-34-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-38-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-36-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-44-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-42-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-50-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-48-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-46-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-40-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-56-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-58-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-62-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-60-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-54-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-52-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-70-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-68-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-66-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-64-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-72-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-74-0x0000000005FC0000-0x0000000006035000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1524-2290-0x0000000074C00000-0x00000000752EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2256-2293-0x0000000073A40000-0x0000000073FEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2256-2294-0x0000000073A40000-0x0000000073FEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2256-2295-0x0000000002650000-0x0000000002690000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2256-2296-0x0000000002650000-0x0000000002690000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2256-2297-0x0000000073A40000-0x0000000073FEB000-memory.dmp

    Filesize

    5.7MB

    Download