Overview

overview

10

Static

static

3

b00aa26d9d...f8.exe

windows7-x64

10

b00aa26d9d...f8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 01:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b00aa26d9d7889613c7552ce6e17b0264788e24c6166edcf68c47f209ca767f8.exe

  • Size

    98KB

  • MD5

    0a547347b0b9af0290b263dfa8d71ebe

  • SHA1

    5ff176bfe5e0255a68c8e3d132afbff795a1fc1d

  • SHA256

    b00aa26d9d7889613c7552ce6e17b0264788e24c6166edcf68c47f209ca767f8

  • SHA512

    8e3795bc46783f970c63c56d340e1eb47346bd3e7a9050ed7d1fac77cdcf96e9ec2a955d56b60ca68556a160ab4c0116b2a51d0bbee91c5ded72a3b2b81d5fb0

  • SSDEEP

    1536:79H3LJvFmav82tiLZoS/0XOD7fiq4kzNEAAkHK:hHbCOqb/+i7fRekHK

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b00aa26d9d7889613c7552ce6e17b0264788e24c6166edcf68c47f209ca767f8.exe
    "C:\Users\Admin\AppData\Local\Temp\b00aa26d9d7889613c7552ce6e17b0264788e24c6166edcf68c47f209ca767f8.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Windows\sysbrapsvc.exe
      C:\Windows\sysbrapsvc.exe
      2⤵
      • Modifies security service
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Suspicious use of WriteProcessMemory
      PID:3248
      • C:\Users\Admin\AppData\Local\Temp\2663424960.exe
        C:\Users\Admin\AppData\Local\Temp\2663424960.exe
        3⤵
        • Executes dropped EXE
        PID:4424
      • C:\Users\Admin\AppData\Local\Temp\1693517754.exe
        C:\Users\Admin\AppData\Local\Temp\1693517754.exe
        3⤵
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1076
        • C:\Users\Admin\AppData\Local\Temp\1533932462.exe
          C:\Users\Admin\AppData\Local\Temp\1533932462.exe
          4⤵
          • Executes dropped EXE
          PID:2428
        • C:\Users\Admin\AppData\Local\Temp\1917024594.exe
          C:\Users\Admin\AppData\Local\Temp\1917024594.exe
          4⤵
          • Executes dropped EXE
          PID:2620
        • C:\Users\Admin\AppData\Local\Temp\2293816317.exe
          C:\Users\Admin\AppData\Local\Temp\2293816317.exe
          4⤵
          • Executes dropped EXE
          PID:560
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3464 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2656

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\_3[1]
            Filesize

            9KB

            MD5

            4c12165bc335a32cb559c828484a86a6

            SHA1

            c2e78c57f15a1a3a190be415aac3d1e3209ce785

            SHA256

            4831bd83c39ec9d898ccc1023858c81a03326b7c1c5dd8e24fdf9b2171707d1a

            SHA512

            f44df78b6f16255496b2fa35e28c185011c2bebf47730a68fd1369abf87f390684a8786a167319319d14a12da3768c1edef8e36037cde339a1ffe8c62c3ea87b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\1533932462.exe
            Filesize

            8KB

            MD5

            9b8a3fb66b93c24c52e9c68633b00f37

            SHA1

            2a9290e32d1582217eac32b977961ada243ada9a

            SHA256

            8a169cf165f635ecb6c55cacecb2c202c5fc6ef5fa82ec9cdb7d4b0300f35293

            SHA512

            117da1ec9850212e4cafce6669c2cfffc8078627f5c3ccdfd6a1bf3bee2d351290071087a4c206578d23852fa5e69c2ebefd71905c85b1eaed4220932bb71a39

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\1693517754.exe
            Filesize

            14KB

            MD5

            d085f41fe497a63dc2a4882b485a2caf

            SHA1

            9dc111412129833495f19d7b8a5500cf7284ad68

            SHA256

            fb11b4e2d26812e26ea7428f3b0b9bb8a16814188250fa60697c7aec40a49bd0

            SHA512

            ed4d8e297094248fb536154ed0427f4cc1832f339ce29d0f782971ede42fa2b9e5f953f73e71d0cfc026e5fd2ec0f7062410af359fd940a14f277adca37fc106

            Download Submit

          • C:\Windows\sysbrapsvc.exe
            Filesize

            98KB

            MD5

            0a547347b0b9af0290b263dfa8d71ebe

            SHA1

            5ff176bfe5e0255a68c8e3d132afbff795a1fc1d

            SHA256

            b00aa26d9d7889613c7552ce6e17b0264788e24c6166edcf68c47f209ca767f8

            SHA512

            8e3795bc46783f970c63c56d340e1eb47346bd3e7a9050ed7d1fac77cdcf96e9ec2a955d56b60ca68556a160ab4c0116b2a51d0bbee91c5ded72a3b2b81d5fb0

            Download Submit