Overview

overview

8

Static

static

1

b4e634baee...a7.exe

windows7-x64

8

b4e634baee...a7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 12:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4e634baeecde29b2599537d357f87a7.exe

  • Size

    89KB

  • MD5

    b4e634baeecde29b2599537d357f87a7

  • SHA1

    29ca3fd61d1563184e8c6353520ac2b0b82c81f5

  • SHA256

    9a56d506889bc7c1904d4869a9e21e383a6f66eadc0dd71191cb74d3a2ed20b6

  • SHA512

    c26d975be9a020a11248147526d1bc0733e62e4dee1cf146775cc463419161e9bad886c4a5fe56d4608f03540ce1655abd250d90f1fb2637cc1c597f6b61e64e

  • SSDEEP

    1536:lr9RFbR3XfYFHuI2Zod8+7gTSaSMi9xfQb+ng5aOmTcuOiFeR7Rkxr:fbR3XMuYd8jV5iQb+ngQZhYRV

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4e634baeecde29b2599537d357f87a7.exe
    "C:\Users\Admin\AppData\Local\Temp\b4e634baeecde29b2599537d357f87a7.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oculta.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\oculta.ps1"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3048
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://server.massgravs.pro/index.php
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2312
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\oculta.bat
    Filesize

    158B

    MD5

    54c2f3a00d5bc5ffd7f5338b8d7e265c

    SHA1

    5c4086ecf9a3508666b1bd4e27ba8f7a517813be

    SHA256

    a6aec3bbc95bc0a300857092e35a602c601397eefc8565f2bc42e7e77df1eddb

    SHA512

    05bf9854e0ba84f12e7ddbaf14886491d98a832ef3287b3affc08079b9d08c88d01c386737a3b3e1d9be3cd8850266bb9ea037269e027209410f1ea6c5cf685c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\oculta.ps1
    Filesize

    1KB

    MD5

    921c2fb8f2423f9fb469e274eed1d860

    SHA1

    48bf33a865d9415e514281ecb48ac8e8e43ad4bc

    SHA256

    ce0bd47287e5b4ebe9de5d050e27e36ba863af9a9b21c52a3e8bc5f135252220

    SHA512

    31d6a485ff59da843ce4048322d4357ec1eb832b7acb0bff4aa6a9005efdd26be97163cdc5e8da30684ce2b45b72b1b9d02bcec800c7726b26fb52f6dafb16db

    Download Submit

  • memory/2172-2-0x0000000074A40000-0x000000007512E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2172-1-0x0000000000C60000-0x0000000000C7A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2172-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2172-9-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2172-10-0x0000000074A40000-0x000000007512E000-memory.dmp

    Filesize

    6.9MB

    Download