Overview

overview

8

Static

static

3

przv3.exe

windows7-x64

5

przv3.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    75s
  • max time network
    77s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2024, 03:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    przv3.exe

  • Size

    17.8MB

  • MD5

    d6f73cc1d510e743a10d7810c20af810

  • SHA1

    62fb77628f2d066d98c7656e0b84499ce9b9da94

  • SHA256

    7e791afb9e4818496373828afa76df01fe6a77075b9a94095c54aca5fb24b2ac

  • SHA512

    c10122b3a6e152ba2cf20c6b1220289957b5c8442b183e34da61381c6976670652a35eb54c08536469380ddedf932f54c38fca519425f7c9c92b9bf7528e90bd

  • SSDEEP

    393216:oZA1UlLze3AvfDwCCpjNmXhqMnOQCRkDr3X+u06rSP+:8AulHe3A3DwCCQlOQ4kDjO96rSP

Score
8/10

Malware Config

Signatures

  • Manipulates Digital Signatures 1 TTPs 3 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Program crash 2 IoCs
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\przv3.exe
    "C:\Users\Admin\AppData\Local\Temp\przv3.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\przv3.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Windows\SysWOW64\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\przv3.exe" MD5
        3⤵
        • Manipulates Digital Signatures
        PID:3488
      • C:\Windows\SysWOW64\find.exe
        find /i /v "md5"
        3⤵
          PID:452
        • C:\Windows\SysWOW64\find.exe
          find /i /v "certutil"
          3⤵
            PID:2496
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4584
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4624
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 5
              4⤵
              • Delays execution with timeout.exe
              PID:2592
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 1228
          2⤵
          • Program crash
          PID:560
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4700 -ip 4700
        1⤵
          PID:4868
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:2500
          • C:\Users\Admin\AppData\Local\Temp\przv3.exe
            "C:\Users\Admin\AppData\Local\Temp\przv3.exe"
            1⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2480
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\przv3.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4396
              • C:\Windows\SysWOW64\certutil.exe
                certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\przv3.exe" MD5
                3⤵
                  PID:1164
                • C:\Windows\SysWOW64\find.exe
                  find /i /v "md5"
                  3⤵
                    PID:4628
                  • C:\Windows\SysWOW64\find.exe
                    find /i /v "certutil"
                    3⤵
                      PID:3224
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:812
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4972
                      • C:\Windows\SysWOW64\timeout.exe
                        timeout /t 5
                        4⤵
                        • Delays execution with timeout.exe
                        PID:3740
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1148
                    2⤵
                    • Program crash
                    PID:228
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2480 -ip 2480
                  1⤵
                    PID:5040

                  Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/2480-9-0x0000000002620000-0x0000000002621000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2480-10-0x0000000002630000-0x0000000002631000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2480-12-0x0000000000400000-0x000000000257A000-memory.dmp

                          Filesize

                          33.5MB

                          Download

                        • memory/4700-1-0x0000000002700000-0x0000000002701000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4700-0-0x00000000026F0000-0x00000000026F1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4700-3-0x00000000004F1000-0x00000000013A1000-memory.dmp

                          Filesize

                          14.7MB

                          Download

                        • memory/4700-2-0x0000000000400000-0x000000000257A000-memory.dmp

                          Filesize

                          33.5MB

                          Download

                        • memory/4700-6-0x0000000000400000-0x000000000257A000-memory.dmp

                          Filesize

                          33.5MB

                          Download

                        • memory/4700-7-0x0000000000400000-0x000000000257A000-memory.dmp

                          Filesize

                          33.5MB

                          Download

                        • memory/4700-8-0x00000000004F1000-0x00000000013A1000-memory.dmp

                          Filesize

                          14.7MB

                          Download