Overview

overview

10

Static

static

10

6fd12c6e8a...f4.exe

windows7-x64

9

6fd12c6e8a...f4.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    28s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2024, 21:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fd12c6e8a2ccb53298fcf79a1c2c1bb7f9ff4fe6cbd038af48c286c12ec42f4.exe

  • Size

    927KB

  • MD5

    229a978855cc68ed8b15c325f4b9b3d6

  • SHA1

    aead8146325c249c26a50ca0e17164b6c1d27532

  • SHA256

    6fd12c6e8a2ccb53298fcf79a1c2c1bb7f9ff4fe6cbd038af48c286c12ec42f4

  • SHA512

    d92556baf2b5cd9ac0208d3cd2ef62361181013f5eef927f1ee53f9b3c8b296646536c7afa6544ab43b4ff5ef61c323d3ca743c6ae2d3fd13ec80ff8149611ac

  • SSDEEP

    24576:Wbqi+tZe0p4Ek4niOkl/A04szE87JKTvmw:WbD+PeW4SkZP4sz9Mb/

Score
9/10
persistence

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 6 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fd12c6e8a2ccb53298fcf79a1c2c1bb7f9ff4fe6cbd038af48c286c12ec42f4.exe
    "C:\Users\Admin\AppData\Local\Temp\6fd12c6e8a2ccb53298fcf79a1c2c1bb7f9ff4fe6cbd038af48c286c12ec42f4.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4628
    • C:\WINDOWS\MSWDM.EXE
      "C:\WINDOWS\MSWDM.EXE"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:232
    • C:\WINDOWS\MSWDM.EXE
      -r!C:\Windows\dev323B.tmp!C:\Users\Admin\AppData\Local\Temp\6fd12c6e8a2ccb53298fcf79a1c2c1bb7f9ff4fe6cbd038af48c286c12ec42f4.exe! !
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Users\Admin\AppData\Local\Temp\6FD12C6E8A2CCB53298FCF79A1C2C1BB7F9FF4FE6CBD038AF48C286C12EC42F4.EXE
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\MSWDM.EXE
    Filesize

    80KB

    MD5

    7953ee2765fd7f56ef2cbc7181d1149d

    SHA1

    c649e183ef7ea9d5f758e061432c2707f7591b6f

    SHA256

    79d8f0ced4322e8274ed093c31cc3685048212c192d549c8d31a19f16b1d6da9

    SHA512

    351b443e4145ddaccef9de847b142b240fb44594d6bee7b7fbe16a865df6dccd93559b437b254093f0f790bb3b66d0972d879b931c8f2e9ed9fdd4c931dbe7b7

    Download Submit

  • C:\Windows\dev323B.tmp
    Filesize

    847KB

    MD5

    c8f40f25f783a52262bdaedeb5555427

    SHA1

    e45e198607c8d7398745baa71780e3e7a2f6deca

    SHA256

    e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316

    SHA512

    f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191

    Download Submit

  • memory/232-11-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/232-15-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2092-10-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4628-0-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4628-9-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download