Overview

overview

8

Static

static

3

8e58aa4648...4d.exe

windows7-x64

8

8e58aa4648...4d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    92s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/07/2024, 00:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe

  • Size

    92KB

  • MD5

    03ef5c5c86ac5d8886b082ea239a535b

  • SHA1

    ee6f6ee8fcb8bb94d5b1bfa3cddd37f57374f055

  • SHA256

    8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d

  • SHA512

    ce4e78b94c639dc8d0603f3baceb0a77fdb353e8d94a8a6bd7d146f806a3b538e8d998e6a5717ef5e24fe2d7c4a79b84c537f24a160a453d4572cf165a2f4e8d

  • SSDEEP

    1536:g7EtvnKhWQtC3Izj6TrlDa2z6Ewd0zvPTQw9LBZRS8V3zhb:8EtvKztiIzj6xtDLBZRS8Vj5

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Program crash 2 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe
    "C:\Users\Admin\AppData\Local\Temp\8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s C:\Users\Admin\AppData\Local\Temp\240628203.reg
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Runs .reg file with regedit
      PID:3284
    • C:\Windows\SysWOW64\WinHelp3.exe
      C:\Windows\system32\WinHelp3.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3676
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:3732
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 200
            4⤵
            • Program crash
            PID:2304
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 208
            4⤵
            • Program crash
            PID:5056
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3732 -ip 3732
      1⤵
        PID:4296
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3732 -ip 3732
        1⤵
          PID:1416

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\240628203.reg
          Filesize

          378B

          MD5

          d2614c747ce333f23bf1a115a0d19deb

          SHA1

          ec018ab2016355ed2488eab2a54dddfb9151921b

          SHA256

          78896bfff8fe409ed64efa88b054a1b0e9f85e8c4e42681a7463dc0df78f4847

          SHA512

          b659c67a7901b259666ff3b8a19a6342d08c070521f8e5bd8c5ae114c4b5dff424477c6b58dbd639c34bada7a92e7cc21c9a7b6d5490a24934072d70cf4f3eeb

          Download Submit

        • C:\Windows\SysWOW64\WinHelp3.exe
          Filesize

          92KB

          MD5

          c220909d4d1b361c5a5608eb1f29c91f

          SHA1

          581b2bdf1129488d6377896c9486a48accfc6b02

          SHA256

          14bd56fcf416a186d861e1cf0d4337ded95e3ead512a76b20ff2854814fd56b8

          SHA512

          523eb0bc641ffecb57ea446ec5a8ffdcdc639fca7e3fef3549d0faa29825adf45023a8b588ce97317ba2efb9a000ea066adfd3717497f4d6a8db6bac66103eba

          Download Submit

        • memory/3732-6-0x0000000013150000-0x0000000013167000-memory.dmp

          Filesize

          92KB

          Download