Overview

overview

8

Static

static

3

46e848e8f6...ef.exe

windows7-x64

8

46e848e8f6...ef.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    92s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 21:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46e848e8f62887004de2c754dc3338a976fbcfe7aa66822ba0a4bac0980eebef.exe

  • Size

    5.5MB

  • MD5

    235c5171209f986f8d8fdf07f5ad6e9e

  • SHA1

    cfb985e39b49364e3ba2915d390dca107624dffa

  • SHA256

    46e848e8f62887004de2c754dc3338a976fbcfe7aa66822ba0a4bac0980eebef

  • SHA512

    cc7a42f750f5a03172dcc4ebbbae52b0e208b5c03f1d94aefc6fb52280e5fd18fbcb62fcacd8fe2801f449dd19f3229686cffa3ebf442e0997680c298afa8643

  • SSDEEP

    98304:oseHlHdc5b9dXLVi2xIb7S1fw7pXyZ7oz0R5uz0rbJagkW7kOLIx1qxz8hjFrZB5:Bem17h10XvwPhagz7q2wNPQ00W

Score
8/10
persistence

Malware Config

Signatures

  • Sets file execution options in registry 2 TTPs 6 IoCs
    persistence
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46e848e8f62887004de2c754dc3338a976fbcfe7aa66822ba0a4bac0980eebef.exe
    "C:\Users\Admin\AppData\Local\Temp\46e848e8f62887004de2c754dc3338a976fbcfe7aa66822ba0a4bac0980eebef.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      2⤵
        PID:1600
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\123.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3688
        • C:\Windows\SysWOW64\reg.exe
          reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f
          3⤵
          • Sets file execution options in registry
          PID:3472
        • C:\Windows\SysWOW64\reg.exe
          reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f
          3⤵
          • Sets file execution options in registry
          PID:2220
        • C:\Windows\SysWOW64\reg.exe
          reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f
          3⤵
          • Sets file execution options in registry
          PID:1060
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c assoc .txt = exefile
        2⤵
        • Modifies registry class
        PID:3676
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ftype comfile=C:\Users\Admin\AppData\Local\Temp\46e848e8f62887004de2c754dc3338a976fbcfe7aa66822ba0a4bac0980eebef.exe
        2⤵
        • Modifies system executable filetype association
        • Modifies registry class
        PID:556
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ftype zipfile=C:\Users\Admin\AppData\Local\Temp\46e848e8f62887004de2c754dc3338a976fbcfe7aa66822ba0a4bac0980eebef.exe
        2⤵
        • Modifies registry class
        PID:4836
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ftype jpgfile=C:\Users\Admin\AppData\Local\Temp\46e848e8f62887004de2c754dc3338a976fbcfe7aa66822ba0a4bac0980eebef.exe
        2⤵
        • Modifies registry class
        PID:544
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ftype txtfile=C:\Users\Admin\AppData\Local\Temp\46e848e8f62887004de2c754dc3338a976fbcfe7aa66822ba0a4bac0980eebef.exe
        2⤵
        • Modifies registry class
        PID:2632

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\123.bat
      Filesize

      443B

      MD5

      70170ba16a737a438223b88279dc6c85

      SHA1

      cc066efa0fca9bc9f44013660dea6b28ddfd6a24

      SHA256

      d3674f4b34a8ca8167160519aa5c66b6024eb09f4cb0c9278bc44370b0efec6a

      SHA512

      37cc8c954544374d0a1ca4d012c9bd0b47781bc9bb8d0c15a8a95b9934893db3bedee867b984c20edabe54c39574abf7250de433aade6c0d544b8dd2c972c6da

      Download Submit

    • C:\Program Files\7-Zip\7zG.exe
      Filesize

      5.5MB

      MD5

      08cd6feadac6cb8e2f86d043f0056d3f

      SHA1

      15b45e3b12a621d18f88674503e9dc3f328e62a8

      SHA256

      d91b19694265d2284934d38d6458dac2d64c76cbd1d509d817dfa76a7acd1b0d

      SHA512

      5b1ebbf5074522e90afcf7a62406a8f089e674d227c323e82180da95bf4237e68a373e97092cebdae24298a03066ff12350fe03c6d58b07ca42c304f7f3374ec

      Download Submit

    • memory/4268-0-0x0000000000400000-0x0000000000C94000-memory.dmp

      Filesize

      8.6MB

      Download

    • memory/4268-1-0x00000000029F0000-0x00000000029F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4268-4-0x000000000040E000-0x000000000070E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/4268-2-0x0000000000400000-0x0000000000C94000-memory.dmp

      Filesize

      8.6MB

      Download

    • memory/4268-1020-0x0000000000400000-0x0000000000C94000-memory.dmp

      Filesize

      8.6MB

      Download