Overview

overview

10

Static

static

3

f0dc8be0db...df.exe

windows7-x64

10

f0dc8be0db...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30/05/2024, 04:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0dc8be0db36b29ae80171d347faf228d10f5858df2e5e2868f488b33d9d78df.exe

  • Size

    157KB

  • MD5

    5fa7fb184fc25b7957d246e9e61085c0

  • SHA1

    8eb5b03eefc5ae1f036fdc8e83fccacf45d1499c

  • SHA256

    f0dc8be0db36b29ae80171d347faf228d10f5858df2e5e2868f488b33d9d78df

  • SHA512

    cdcd2527d705b9bc417622fa71234e025f5a9c0a729965ff910489e380dc9c1691e94afce3922b195d5facadf41dfc59a0b7a7e0faf7ff9b631bbbe89f6607b6

  • SSDEEP

    3072:deAjyYsAq/C3RCzgJHvNA1PpYfFL6zU+BEfi:oAjjqahUSPe1SZ+h

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0dc8be0db36b29ae80171d347faf228d10f5858df2e5e2868f488b33d9d78df.exe
    "C:\Users\Admin\AppData\Local\Temp\f0dc8be0db36b29ae80171d347faf228d10f5858df2e5e2868f488b33d9d78df.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • Suspicious behavior: EnumeratesProcesses
      PID:1496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\AppPatch\svchost.exe
    Filesize

    157KB

    MD5

    b9b6673a37eb0ac250e21b7138f9c6fd

    SHA1

    d3d582281c0653953ae5cb8a637bfcee24ef9519

    SHA256

    a099277142de20970b9cff6ce964c1d16bdc4bbb748b6f8948ca6a001ff8a294

    SHA512

    8067ca2bd6043295f0f8dbf9b48ea11bcf1ce5fb4639c9a036fa7c70e7e73557b53c9550e902fb6ff435dc5f1c16ddc04c1c5f9cbe7005723e15b8bacfa906b1

    Download Submit

  • memory/1496-18-0x0000000000240000-0x0000000000286000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1496-14-0x0000000000240000-0x0000000000286000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1496-24-0x0000000000240000-0x0000000000286000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1496-22-0x0000000000240000-0x0000000000286000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1496-20-0x0000000000240000-0x0000000000286000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1496-16-0x0000000000240000-0x0000000000286000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1496-25-0x00000000002D0000-0x000000000031A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1496-27-0x00000000002D0000-0x000000000031A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1496-33-0x00000000002D0000-0x000000000031A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1496-29-0x00000000002D0000-0x000000000031A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1496-34-0x00000000002D0000-0x000000000031A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2812-12-0x00000000009A0000-0x00000000009D0000-memory.dmp

    Filesize

    192KB

    Download