Overview

overview

10

Static

static

3

St raphael...10.exe

windows7-x64

10

St raphael...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 00:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    St raphael juillet 2010.exe

  • Size

    41KB

  • MD5

    b788561e93731bacedc64d92650a4d6b

  • SHA1

    22566f4de9d1f789314c0e67fcdc4f2d4778308d

  • SHA256

    7518537fdfbe929c077ec21570f0243ae957714238e2e3857d8fbcc7bf81d4af

  • SHA512

    6d8d342eb1382be57a1ca838d6fa987b32a3ed1f255f94dd0a9db231c0713c15398acbed988e2a4e3550a08988e4305bdc90506ee8a93b63086e5397ae395267

  • SSDEEP

    768:FOT/0+bspijWBN+drsP1sqqzNFKI2FT8SPI5siIPFv2jPVdov35BMCS:60+2iji2stsq23KFzP8oPFOjtdm5O

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables RegEdit via registry modification 12 IoCs
    evasion
  • Disables cmd.exe use via registry modification 6 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\St raphael juillet 2010.exe
    "C:\Users\Admin\AppData\Local\Temp\St raphael juillet 2010.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      2⤵
      • Modifies registry class
      PID:2940
    • C:\Users\Admin\AppData\Local\smss.exe
      C:\Users\Admin\AppData\Local\smss.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:232
      • C:\Users\Admin\AppData\Local\winlogon.exe
        C:\Users\Admin\AppData\Local\winlogon.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:228
      • C:\Windows\SysWOW64\at.exe
        at /delete /y
        3⤵
          PID:2672
        • C:\Windows\SysWOW64\at.exe
          at 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Brengkolang.com"
          3⤵
            PID:5112
          • C:\Users\Admin\AppData\Local\services.exe
            C:\Users\Admin\AppData\Local\services.exe
            3⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • Disables RegEdit via registry modification
            • Disables cmd.exe use via registry modification
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:4068
          • C:\Users\Admin\AppData\Local\lsass.exe
            C:\Users\Admin\AppData\Local\lsass.exe
            3⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • Disables RegEdit via registry modification
            • Disables cmd.exe use via registry modification
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:1088
          • C:\Users\Admin\AppData\Local\inetinfo.exe
            C:\Users\Admin\AppData\Local\inetinfo.exe
            3⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • Disables RegEdit via registry modification
            • Disables cmd.exe use via registry modification
            • Executes dropped EXE
            • Adds Run key to start application
            PID:1584

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\services.exe
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit

      • C:\Users\Admin\AppData\Local\smss.exe
        Filesize

        41KB

        MD5

        b788561e93731bacedc64d92650a4d6b

        SHA1

        22566f4de9d1f789314c0e67fcdc4f2d4778308d

        SHA256

        7518537fdfbe929c077ec21570f0243ae957714238e2e3857d8fbcc7bf81d4af

        SHA512

        6d8d342eb1382be57a1ca838d6fa987b32a3ed1f255f94dd0a9db231c0713c15398acbed988e2a4e3550a08988e4305bdc90506ee8a93b63086e5397ae395267

        Download Submit