Overview

overview

7

Static

static

3

6072ed4213...1e.exe

windows7-x64

7

6072ed4213...1e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2024, 15:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6072ed4213f9fcf939d6646fd0288f1e9e206688d80296ae2ad8266ae7326e1e.exe

  • Size

    197KB

  • MD5

    40d470a493bc36c8b58232fa4d691fb7

  • SHA1

    5540454022878523ef54687cd330108336e6df53

  • SHA256

    6072ed4213f9fcf939d6646fd0288f1e9e206688d80296ae2ad8266ae7326e1e

  • SHA512

    ab708079d077e31f2e96143db0bcff4a3a24f9d66eeabc21c175dbb98c336ec8c96fe9cdb9f804e6572416b0ef88ec529d9fb9725619b7f49bc0f79063c4879d

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOi:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXz

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6072ed4213f9fcf939d6646fd0288f1e9e206688d80296ae2ad8266ae7326e1e.exe
    "C:\Users\Admin\AppData\Local\Temp\6072ed4213f9fcf939d6646fd0288f1e9e206688d80296ae2ad8266ae7326e1e.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\6072ED~1.EXE > nul
      2⤵
      • Deletes itself
      PID:1984
  • C:\Windows\Debug\rwmhost.exe
    C:\Windows\Debug\rwmhost.exe
    1⤵
    • Executes dropped EXE
    • Checks processor information in registry
    PID:2948

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\debug\rwmhost.exe
          Filesize

          197KB

          MD5

          ad0e48a9f50c25167d26758cbc35e1b3

          SHA1

          28df09f38cbcfc5a481a19cdd64ba5f1e9d507e3

          SHA256

          cf25a9c33126a891a032fb0c9ff0750e8c92bd3d6deb6dec4f908f1abb4cffb6

          SHA512

          faa0f99dcffdc058216356cf57885f3bdb653c8f520b49bd481017b4d591b53979ba40db9643477c6aba7c4a75be318716327c5082e84328bea63d6065e1d9df

          Download Submit