Overview

overview

8

Static

static

3

e061e49418...31.exe

windows7-x64

8

e061e49418...31.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27/03/2024, 00:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e061e494188ecf6c7e605920699d1631.exe

  • Size

    120KB

  • MD5

    e061e494188ecf6c7e605920699d1631

  • SHA1

    4a906939977e9b9fc95b2ef55480894c8e3a64db

  • SHA256

    7daa43e9c28a6b3fb1e9a840821bb3f68dda745e798ee80a2f0213b9778ff07a

  • SHA512

    709623e5037c7186ccd0cde64bc77b91cb4228ed899734119dceb6d2c1a6177e046a27aa7f0370b649cc581e5a52152e3a98ce24155ce35a1b466f929d806b7f

  • SSDEEP

    1536:EcZib3iiLE9zp0DLBA41oDLbp1QYfZtzT2cPlWXkEYa9YbeG91dPil:Evb3/o9zpQBcL7fZtzT2vXkERut

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e061e494188ecf6c7e605920699d1631.exe
    "C:\Users\Admin\AppData\Local\Temp\e061e494188ecf6c7e605920699d1631.exe"
    1⤵
    • Adds policy Run key to start application
    • Loads dropped DLL
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
          PID:2536
      • C:\Windows\SysWOW64\sc.exe
        sc config wscsvc start= DISABLED
        2⤵
        • Launches sc.exe
        PID:2616
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
          3⤵
            PID:2592
        • C:\Windows\SysWOW64\sc.exe
          sc config SharedAccess start= DISABLED
          2⤵
          • Launches sc.exe
          PID:2752
        • C:\Users\Admin\AppData\Local\Temp\o6jv.exe
          C:\Users\Admin\AppData\Local\Temp\o6jv.exe
          2⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2980
          • C:\Windows\SysWOW64\net.exe
            net.exe stop "Security Center"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:600
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Security Center"
              4⤵
                PID:2876
            • C:\Windows\SysWOW64\sc.exe
              sc config wscsvc start= DISABLED
              3⤵
              • Launches sc.exe
              PID:680
            • C:\Windows\SysWOW64\net.exe
              net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:336
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                4⤵
                  PID:2976
              • C:\Windows\SysWOW64\sc.exe
                sc config SharedAccess start= DISABLED
                3⤵
                • Launches sc.exe
                PID:2792
              • C:\Users\Admin\AppData\Local\Temp\o6jv.exe
                C:\Users\Admin\AppData\Local\Temp\o6jv.exe -d80931FF530F767B8EF1E7C5B581C6890BE62DFAA04652BFF5D38860EC1201C475E204B635760EB867C068FE7F2B72738DDD5718884EE0E5194F343F765E3A4396A3D3EBB3CEF02B8DECE742523E0F1266A6707410684B74208AA99F14CB831B9F5A0030DBA97228EB50B4A2C9453CBA25798CEEC054CBC8AFAD9C588C0AFE9589087E85FE8C500C6E2A06C0E2DE8FA79D40934CA3834F0CFEB7245204AA931D90C547AF6205191B087E7792219B403A1532AE54A9ABF6BA19B9AD547B287AD487AFA8693FAA00AF6036F4CC8C050ACEC852ECF9A64597FFC0DDE730C01C4439A2C9318E750E7DF1BFAFB04A5CA0CF9BD5A1F1D080D89C37680305CD7816D187FB1517ED33BB1C7604AB1FDD1227A2FFF04AD3E0550630CA776400C5EBA1090ACDB9745AD1428B59B162AD38CEFA0D221F334DE4C25636D5FB08940E076EA51FCBCC33A8F7361E035BEB065189B63AAA1D9ECEB82C54A3E0D2FCFF68EBDA93F88A424695F3207BB62E414CE4AD02DB9C6A77A90C7A92A116033796B11D96C817A232F20C26A07FCFA685C6DF775CB45FA8D9A3C02
                3⤵
                • Executes dropped EXE
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2852
                • C:\Windows\SysWOW64\net.exe
                  net.exe stop "Security Center"
                  4⤵
                    PID:2732
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "Security Center"
                      5⤵
                        PID:2836
                    • C:\Windows\SysWOW64\sc.exe
                      sc config wscsvc start= DISABLED
                      4⤵
                      • Launches sc.exe
                      PID:1760
                    • C:\Windows\SysWOW64\net.exe
                      net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
                      4⤵
                        PID:2484
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                          5⤵
                            PID:1736
                        • C:\Windows\SysWOW64\sc.exe
                          sc config SharedAccess start= DISABLED
                          4⤵
                          • Launches sc.exe
                          PID:900
                      • C:\Users\Admin\AppData\Local\Temp\o6jv.exe
                        C:\Users\Admin\AppData\Local\Temp\o6jv.exe -d6D7ECD27C304D30C42B3C4E3BCF88E765C80D1A4C4A527F3B6D3931B4DAC5F04DEA0F2DAF2C56E03F8820D65A1E49986050D748DFF9507586601982C088ED14C9BCC7F04F61658EA51AEBDE665AADB039C949FDFB42049B28128A9CCAE5B53D6B7E1434C6A71C66DAE7CAFF56FA5184FD1683E1C1C4540760827C48B47C7CB78828449E325152DFEB18B01586AA255D996797E7AB1BD84C53EA725561DF25E828DD8DF554123416F3A62104C3D9DD7761B73CD0D2A09E75EA3A949CCB9FB7192A8DB91961650F9156A147AF313922360D268D79782BE8001F723EF62E256A84FE6362E233F8C893FA35E1ABB538BFEBA6B5E8992F177A3103C85119AA355E88F9774C17A921865C5857E0E35A7EE6DACD8421026F0C2E67FB384EFB845FC586F4D16976D2B144370F1C6B4EBF8B7B645498EDA48387E1D2FDDE403A350CC5BF6D7A83F8A617319CC0907A7DA70885D56310493FAC34C5E6D7B9B0D758E9A962147C785B3CEFB1AC32DDDC541768B27583EE3287FC94AFD8C8DC707700771F01DEEDB75AD4B3FBC42FE902C62B4B019A1647E
                        3⤵
                        • Executes dropped EXE
                        • Modifies Internet Explorer settings
                        • Suspicious use of SetWindowsHookEx
                        PID:1744
                        • C:\Windows\SysWOW64\net.exe
                          net.exe stop "Security Center"
                          4⤵
                            PID:1596
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop "Security Center"
                              5⤵
                                PID:2432
                            • C:\Windows\SysWOW64\sc.exe
                              sc config wscsvc start= DISABLED
                              4⤵
                              • Launches sc.exe
                              PID:1600
                            • C:\Windows\SysWOW64\net.exe
                              net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
                              4⤵
                                PID:2572
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                                  5⤵
                                    PID:2896
                                • C:\Windows\SysWOW64\sc.exe
                                  sc config SharedAccess start= DISABLED
                                  4⤵
                                  • Launches sc.exe
                                  PID:2556
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c C:\Users\Admin\AppData\Local\Temp\7zd70ah5.bat
                              2⤵
                              • Deletes itself
                              PID:2488

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Temp\7zd70ah5.bat
                                  Filesize

                                  190B

                                  MD5

                                  7fa5e23a7f1b0d66249686e0cdda2a8a

                                  SHA1

                                  8e81304e1d289eb973a3d728a946c240024c8a4f

                                  SHA256

                                  c7c47af0df1592752aaf0dd8c1122d26f968aede5a164f8b0ecefd03ac133204

                                  SHA512

                                  e0cadcee5c7b1cfc5ae53a370faa60eb82c1a1654ae9ff445d8f0bf0584e7f201e1a52b5538293d989e70e9ba65096a13b97829858b58b9ca1d5801c8981ae59

                                  Download Submit

                                • \Users\Admin\AppData\Local\Temp\o6jv.exe
                                  Filesize

                                  120KB

                                  MD5

                                  e061e494188ecf6c7e605920699d1631

                                  SHA1

                                  4a906939977e9b9fc95b2ef55480894c8e3a64db

                                  SHA256

                                  7daa43e9c28a6b3fb1e9a840821bb3f68dda745e798ee80a2f0213b9778ff07a

                                  SHA512

                                  709623e5037c7186ccd0cde64bc77b91cb4228ed899734119dceb6d2c1a6177e046a27aa7f0370b649cc581e5a52152e3a98ce24155ce35a1b466f929d806b7f

                                  Download Submit

                                • memory/1044-0-0x0000000000400000-0x0000000000420000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/1044-3-0x0000000003BA0000-0x0000000003D89000-memory.dmp

                                  Filesize

                                  1.9MB

                                  Download

                                • memory/1744-39-0x0000000003400000-0x0000000004462000-memory.dmp

                                  Filesize

                                  16.4MB

                                  Download

                                • memory/2852-30-0x0000000003600000-0x0000000004662000-memory.dmp

                                  Filesize

                                  16.4MB

                                  Download

                                • memory/2980-23-0x00000000033E0000-0x0000000004442000-memory.dmp

                                  Filesize

                                  16.4MB

                                  Download