Overview

overview

10

Static

static

10

9931892126...36.exe

windows7-x64

9

9931892126...36.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    79s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99318921262d6b3856b953ee7f645045d1cea4003ac4f6668253b51c79d50e36.exe

  • Size

    92KB

  • MD5

    aa0309f312fabff45c637ea7b15a6746

  • SHA1

    49dceca4afbc66a45168859737c6cef2b7712fa9

  • SHA256

    99318921262d6b3856b953ee7f645045d1cea4003ac4f6668253b51c79d50e36

  • SHA512

    5a881f85eca17d82345281069a20c52df4493da5ce7c7a6642c3332c173054dbacbc58533dc96053e01aa47316685d7fd17dc3f75691cf842893db2ea04b1283

  • SSDEEP

    1536:R7PvnKhWQtC3Izj6TrlDa2z6Ewd0zvPTQw9LBZRQ8V3zhb:hPvKztiIzj6xtDLBZRQ8Vj5

Score
9/10
persistence

Malware Config

Signatures

  • Detects executables packed with eXPressor 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Program crash 2 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99318921262d6b3856b953ee7f645045d1cea4003ac4f6668253b51c79d50e36.exe
    "C:\Users\Admin\AppData\Local\Temp\99318921262d6b3856b953ee7f645045d1cea4003ac4f6668253b51c79d50e36.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s C:\Users\Admin\AppData\Local\Temp\240599656.reg
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Runs .reg file with regedit
      PID:4984
    • C:\Windows\SysWOW64\WinHelp56.exe
      C:\Windows\system32\WinHelp56.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\99318921262d6b3856b953ee7f645045d1cea4003ac4f6668253b51c79d50e36.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4972
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:3572
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 204
            4⤵
            • Program crash
            PID:2144
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 212
            4⤵
            • Program crash
            PID:2952
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3572 -ip 3572
      1⤵
        PID:2948
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3572 -ip 3572
        1⤵
          PID:1904

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\240599656.reg
          Filesize

          384B

          MD5

          d63838b6071d08e6598dfb131e0ea050

          SHA1

          74a2dd78aaa035d58949cecd8f2f665224253e83

          SHA256

          b752737dcdc3e98a7b58f78e842bdcc106d12f5cd1d2737e49b27931647d4143

          SHA512

          47c70259402790773839ac62734d9a9f87e6b0b4df62149eea755203779a7bed3215d7b35404a39ee828f364bfa039f3777c072d453720814e4a85a161c80866

          Download Submit

        • C:\Windows\SysWOW64\WinHelp56.exe
          Filesize

          92KB

          MD5

          3c62111a25fad43d66cd579677dad260

          SHA1

          dde6a5e0b1829c66f93bd4d65283d18c43bc4a85

          SHA256

          2030e07444bcaa9b67463423c172eca819bad2aa8187dd8b865bfa8df3e16c5b

          SHA512

          291ad5a54fd4f3284a790da8c982570f9e2c7b565ec354cc33be968e34b0bd316cdc14b4a5e787314b26000ae1a0f5c5c2476193d2020c7f573f1434ebfd82f7

          Download Submit

        • memory/3572-6-0x0000000013150000-0x0000000013167000-memory.dmp

          Filesize

          92KB

          Download