Overview

overview

9

Static

static

3

d82922135a...13.exe

windows7-x64

9

d82922135a...13.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 03:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d82922135a671af6a69455ca22bae5a9da66e03f86aae14595a6824e3aa20213.exe

  • Size

    426KB

  • MD5

    a1b78be46fc7c6f022ae78c81393d401

  • SHA1

    349a453f73b70da9138197f2bf029613f2bf47d3

  • SHA256

    d82922135a671af6a69455ca22bae5a9da66e03f86aae14595a6824e3aa20213

  • SHA512

    7041ec4786212417b082f634ca785400a28a22165896078727567340d5dd0edcccfa54172e8d4dc2e39a5e95f5dda49d28c6ed76999c0c33348af697384c7330

  • SSDEEP

    12288:BgwD2w6IRnN6SJWGiT1IpRrfW3WOvduhmxcLX/M9Uu+B7cbN:J2V1ymxcEUuj

Score
9/10
persistence

Malware Config

Signatures

  • Detects executables (downlaoders) containing URLs to raw contents of a paste 3 IoCs
  • Detects executables referencing many IR and analysis tools 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Program crash 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 37 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 62 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d82922135a671af6a69455ca22bae5a9da66e03f86aae14595a6824e3aa20213.exe
    "C:\Users\Admin\AppData\Local\Temp\d82922135a671af6a69455ca22bae5a9da66e03f86aae14595a6824e3aa20213.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:888
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 356
      2⤵
      • Program crash
      PID:2388
    • C:\Users\Admin\AppData\Local\Temp\d82922135a671af6a69455ca22bae5a9da66e03f86aae14595a6824e3aa20213.exe
      C:\Users\Admin\AppData\Local\Temp\d82922135a671af6a69455ca22bae5a9da66e03f86aae14595a6824e3aa20213.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      • System policy modification
      PID:860
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 328
        3⤵
        • Program crash
        PID:4520
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 656
        3⤵
        • Program crash
        PID:1432
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 800
        3⤵
        • Program crash
        PID:4904
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 820
        3⤵
        • Program crash
        PID:1676
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 828
        3⤵
        • Program crash
        PID:4660
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 800
        3⤵
        • Program crash
        PID:4852
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1040
        3⤵
        • Program crash
        PID:4188
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1336
        3⤵
        • Program crash
        PID:3736
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 888 -ip 888
    1⤵
      PID:4016
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 860 -ip 860
      1⤵
        PID:4064
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 860 -ip 860
        1⤵
          PID:2408
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 860 -ip 860
          1⤵
            PID:468
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 860 -ip 860
            1⤵
              PID:656
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 860 -ip 860
              1⤵
                PID:3744
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 860 -ip 860
                1⤵
                  PID:3652
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 860 -ip 860
                  1⤵
                    PID:2984
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 860 -ip 860
                    1⤵
                      PID:1704
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:4872
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Modifies registry class
                        PID:4448
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                      • Modifies Installed Components in the registry
                      • Enumerates connected drives
                      • Checks SCSI registry key(s)
                      • Modifies Internet Explorer settings
                      • Modifies registry class
                      • Suspicious behavior: AddClipboardFormatListener
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of SetWindowsHookEx
                      PID:4732
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                      1⤵
                      • Suspicious behavior: AddClipboardFormatListener
                      PID:5116
                    • C:\Windows\System32\rundll32.exe
                      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                      1⤵
                        PID:3632
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:2848
                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                        • Modifies Internet Explorer settings
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:2948
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                        1⤵
                          PID:516

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133597856128304032.txt
                          Filesize

                          75KB

                          MD5

                          ce88a108043a3d69e5325754ba9c7181

                          SHA1

                          c64f06b8081f5ec0ae7c0e1fe7b0f248aa6550c4

                          SHA256

                          b2552766ebb3469549cea5b6b609077fa6e38c000eba6befadfd275e11a8095e

                          SHA512

                          cb5e53fb1520b68178ad465cde801ed779521b843de44f894fc8fdbd071f33f663a60f570b134ff0996bf407ef9ecee72810b16dd9276469e6b0efb5d5c85829

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\d82922135a671af6a69455ca22bae5a9da66e03f86aae14595a6824e3aa20213.exe
                          Filesize

                          426KB

                          MD5

                          24b5dcbe0cf510765acfc9dec48e11c3

                          SHA1

                          250184910a3d4478ef3c7f27e9c412dc3f26cc4e

                          SHA256

                          7d721f7582a38c5bf7f419a4bc072f4a1d42283c38544025617dd24a88af9125

                          SHA512

                          446fd1c34b5694bafb1679f4be128ba6347ed8204e420920ae189e883ff17c267f1083bf72ff6d866d58a4b70a129a907b46fac96a10b1659ba6e04656284db6

                          Download Submit

                        • memory/860-16-0x0000000000400000-0x000000000045A000-memory.dmp

                          Filesize

                          360KB

                          Download

                        • memory/860-7-0x0000000000400000-0x0000000000472000-memory.dmp

                          Filesize

                          456KB

                          Download

                        • memory/860-8-0x0000000000400000-0x000000000045A000-memory.dmp

                          Filesize

                          360KB

                          Download

                        • memory/860-14-0x0000000004F70000-0x0000000004FE2000-memory.dmp

                          Filesize

                          456KB

                          Download

                        • memory/860-17-0x00000000001B0000-0x00000000001B1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/860-23-0x0000000000400000-0x000000000045A000-memory.dmp

                          Filesize

                          360KB

                          Download

                        • memory/888-0-0x0000000000400000-0x0000000000472000-memory.dmp

                          Filesize

                          456KB

                          Download

                        • memory/888-6-0x0000000000400000-0x0000000000472000-memory.dmp

                          Filesize

                          456KB

                          Download

                        • memory/2948-33-0x00000284EA7F0000-0x00000284EA810000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/2948-44-0x00000284EA7B0000-0x00000284EA7D0000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/2948-64-0x00000284EABC0000-0x00000284EABE0000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/4732-27-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

                          Filesize

                          4KB

                          Download