Overview

overview

10

Static

static

10

0a9db6e9e1...4a.exe

windows7-x64

9

0a9db6e9e1...4a.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-04-2024 18:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a9db6e9e13a8c8e14b3562c4af3d96d4c7e68a00ffbb722d2caa2c037ba334a.exe

  • Size

    107KB

  • MD5

    33e06f65b319484f48184bdbf6cba33f

  • SHA1

    3081c2831095f50b15728352b3cb70974512774b

  • SHA256

    0a9db6e9e13a8c8e14b3562c4af3d96d4c7e68a00ffbb722d2caa2c037ba334a

  • SHA512

    bfe762c92f4f02ca174c794f37bb243720014d869f964d65b1ae201b1ce8ea05a70758fd6b6845df9e74848237386237f08338fda1f944832336de6fd4b62c3a

  • SSDEEP

    1536:+7PvnKhWQtC3Izj6TrlDa2z6Ewd0zvPTQw9LBZRQ8V3zhbPp:uPvKztiIzj6xtDLBZRQ8Vj5Pp

Score
9/10
persistence

Malware Config

Signatures

  • Detects executables packed with eXPressor 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Program crash 2 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a9db6e9e13a8c8e14b3562c4af3d96d4c7e68a00ffbb722d2caa2c037ba334a.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9db6e9e13a8c8e14b3562c4af3d96d4c7e68a00ffbb722d2caa2c037ba334a.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4748
    • C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s C:\Users\Admin\AppData\Local\Temp\240635703.reg
      2⤵
      • Modifies Installed Components in the registry
      • Runs .reg file with regedit
      PID:744
    • C:\Windows\SysWOW64\WinHelp3.exe
      C:\Windows\system32\WinHelp3.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\0a9db6e9e13a8c8e14b3562c4af3d96d4c7e68a00ffbb722d2caa2c037ba334a.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1008
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:4384
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 204
            4⤵
            • Program crash
            PID:964
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 212
            4⤵
            • Program crash
            PID:4888
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4384 -ip 4384
      1⤵
        PID:924
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4384 -ip 4384
        1⤵
          PID:5112

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\240635703.reg
          Filesize

          378B

          MD5

          94f4a855c827e15e1fa7c8a57bc22e06

          SHA1

          e640023daa26b2ef3e7371f9b0b1c9798f3f72ce

          SHA256

          bf2b394d40273a7305a3b03bd982d199a224842818a2133cb8c0fdad05873cee

          SHA512

          b0388fb467332bc344f034a9152642417f81c75d609398d62744a0e90bc2efbfa4db59c9f6d60bc8bd9cc7f982a89dd532fd17d198a2a02c9512544909306a3a

          Download Submit

        • C:\Windows\SysWOW64\WinHelp3.exe
          Filesize

          107KB

          MD5

          bc3d531ea8651fcab56c1b8883d6c682

          SHA1

          bc4b39fe1b9a6631c6c2fab09222527898aabc25

          SHA256

          9dadcb5a5bd6d6b8910bd5622142cccd9e812600fdb6fa8f412c4e3de9259d6a

          SHA512

          5a26fe1ab383eca3af4dcaf2e3712af596f16cf24c1e65ce193dc93b60f7e4ce250413cd838236c7970e9e98d0c9394d3c145a872dad01fe8201867e4ce58138

          Download Submit

        • memory/4384-6-0x0000000013150000-0x0000000013167000-memory.dmp

          Filesize

          92KB

          Download