Overview

overview

7

Static

static

3

b1f2fcaff0...00.exe

windows7-x64

7

b1f2fcaff0...00.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 03:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b1f2fcaff038e4ad2b718d3b4c07f7744c103490fb6b2f849f40b7024db38c00.exe

  • Size

    74KB

  • MD5

    74d7170d8b910ae2e2453337fdee45b5

  • SHA1

    42bd70ccffd224630d2b04b82a7df33053a8613a

  • SHA256

    b1f2fcaff038e4ad2b718d3b4c07f7744c103490fb6b2f849f40b7024db38c00

  • SHA512

    9c9494a2f08954909a89c58be0c96d57c35b3dc4e2831d8ae6028da526c015000aff3363e102eae4122faa55fa84ce5aab7a726f64678f9123ff63af142bbefc

  • SSDEEP

    768:agO5xRYi+SfSWHHNvvG5bnl/NqNwsKVDstHxYD0p1aXKynF0vQmYZS0HdJnfWO:RshfSWHHNvoLqNwDDGw02eQmh0HjWO

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1f2fcaff038e4ad2b718d3b4c07f7744c103490fb6b2f849f40b7024db38c00.exe
    "C:\Users\Admin\AppData\Local\Temp\b1f2fcaff038e4ad2b718d3b4c07f7744c103490fb6b2f849f40b7024db38c00.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3252
    • C:\Windows\system\rundll32.exe
      C:\Windows\system\rundll32.exe
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\notepad¢¬.exe
    Filesize

    85KB

    MD5

    8d93ba10321bfa42a04f47498347e9a5

    SHA1

    f50e838ccb71687f6a57f8f0e5d4682de4c61413

    SHA256

    50582e5dc19a6bc564e6d91f6519642c112a4759af72bde509d708ef9876ba17

    SHA512

    5ae814ba67297417b090d9d43df0a088e45037291fd268b6a33efd97f89582f79875be963fee1fcadcf21059aa1102fe8c6c0035f27e78220953a9891f53827c

    Download Submit
  • C:\Windows\System\rundll32.exe
    Filesize

    75KB

    MD5

    9b3499b7dc62cb656439e3933c3f2043

    SHA1

    1c96035c9e6ddd3f10988bc3dc4e441cca51e901

    SHA256

    e7a227ac38cb2c9a4cbed328d7dea625f701b51ce81abf805e2bcbbfb21c5cbe

    SHA512

    2a324e2b1156d6345ea7b0febc552a059e170798e6e6bf95905a297d052478d4901f72e29dad401da34c1a1cfa0deaf156e0a759e42f8c781d0e128ace702e96

    Download Submit
  • memory/3252-0-0x0000000000400000-0x0000000000415A00-memory.dmp
    Filesize

    86KB

    Download
  • memory/3252-13-0x0000000000400000-0x0000000000415A00-memory.dmp
    Filesize

    86KB

    Download