Overview

overview

10

Static

static

3

cf37e1644e...5d.exe

windows7-x64

10

cf37e1644e...5d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    24/06/2024, 02:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe

  • Size

    3.2MB

  • MD5

    6f2b9a4c2e69d96b0f275d22060fb904

  • SHA1

    d79b1a0b9deec643eb821a38702c8a5d605e0b6d

  • SHA256

    cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d

  • SHA512

    4d7cf4153152856a08bfd73fdc5e964ee57383b9e7d58169c576ed216b3adca0d85c650235e6f955817f9c0de21bd61f232c2e2b019d4b84d726687e406771b9

  • SSDEEP

    98304:5Y8WV9nEF+oi9oYGVo7SROk/BznpU6jcja4Q2B:5YRVu9i9oYGvOkV+wc

Score
10/10
evasionexecutiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
    "C:\Users\Admin\AppData\Local\Temp\cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2124
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1800
      • C:\Windows\SysWOW64\net.exe
        net stop WinDefend
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2252
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop WinDefend
          3⤵
            PID:2692
        • C:\Windows\SysWOW64\sc.exe
          sc delete WinDefend
          2⤵
          • Launches sc.exe
          PID:2872

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2124-0-0x0000000000230000-0x0000000000231000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2124-2-0x0000000000400000-0x0000000000737000-memory.dmp

              Filesize

              3.2MB

              Download

            • memory/2124-3-0x0000000000400000-0x0000000000737000-memory.dmp

              Filesize

              3.2MB

              Download

            • memory/2124-4-0x0000000000230000-0x0000000000231000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2124-6-0x0000000000400000-0x0000000000737000-memory.dmp

              Filesize

              3.2MB

              Download

            • memory/2124-7-0x0000000000400000-0x0000000000737000-memory.dmp

              Filesize

              3.2MB

              Download

            • memory/2124-9-0x0000000000400000-0x0000000000737000-memory.dmp

              Filesize

              3.2MB

              Download