Overview

overview

7

Static

static

3

57b43d2f33...0N.exe

windows7-x64

7

57b43d2f33...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/07/2024, 06:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    57b43d2f33199979ac054492e66e5670N.exe

  • Size

    464KB

  • MD5

    57b43d2f33199979ac054492e66e5670

  • SHA1

    a2f5458681626cf325671ee923c94ce8d603caaf

  • SHA256

    b2ae045ef1cdc7c18c71489de34b2d151443b1d23bc870c9130c4e979283ed64

  • SHA512

    9246b110b7971edcab6b06111aa87f0fc8cc32edea3b0fb6448646f9715310441a8333670202c48f29a7fbe8cb344c590fca29cb618361a8c988ceb2f745ffb5

  • SSDEEP

    12288:vZlc87eqqV5e+wBoO+jOEHPSa+3qKf+PMZxod61lS0:vZSqqHeVBJVEHPB+hmEg2s0

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of UnmapMainImage
    PID:3444
    • C:\Users\Admin\AppData\Local\Temp\57b43d2f33199979ac054492e66e5670N.exe
      "C:\Users\Admin\AppData\Local\Temp\57b43d2f33199979ac054492e66e5670N.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Users\Admin\AppData\Roaming\getmayed\coloWith.exe
        "C:\Users\Admin\AppData\Roaming\getmayed"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3632
        • C:\Users\Admin\AppData\Local\Temp\~CCB6.tmp
          3444 475656 3632 1
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2188
  • C:\Windows\SysWOW64\bitsHost.exe
    C:\Windows\SysWOW64\bitsHost.exe -s
    1⤵
    • Executes dropped EXE
    PID:3452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~CCB6.tmp
    Filesize

    8KB

    MD5

    86dc243576cf5c7445451af37631eea9

    SHA1

    99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

    SHA256

    25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

    SHA512

    c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\getmayed\coloWith.exe
    Filesize

    464KB

    MD5

    f1039114ab297ab99e25716859de60c5

    SHA1

    1c558bee9963db2550e13362df73c3fbb44958d6

    SHA256

    bb8a88bf6a98fff109dc9100374529a403cef68b6bbc98e0612e2826b579eb63

    SHA512

    0ee25d12bb2bf18e0894d92d210e0f54ae98533ddd0eea1d101a3d918a2b1f427edfa46cc4fb23a06fae90588f224128ef7efcdcc58070830be242b867c2b7c7

    Download Submit

  • memory/1016-1-0x00000000005B0000-0x000000000062D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/1016-0-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/1016-28-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/3444-27-0x0000000002DC0000-0x0000000002DC6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3444-16-0x0000000007870000-0x00000000078F4000-memory.dmp

    Filesize

    528KB

    Download

  • memory/3444-26-0x0000000002DF0000-0x0000000002DFD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3444-25-0x0000000007870000-0x00000000078F4000-memory.dmp

    Filesize

    528KB

    Download

  • memory/3452-23-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/3452-24-0x00000000005B0000-0x000000000062D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/3632-6-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/3632-29-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/3632-11-0x0000000000840000-0x0000000000845000-memory.dmp

    Filesize

    20KB

    Download

  • memory/3632-10-0x00000000006A0000-0x000000000071D000-memory.dmp

    Filesize

    500KB

    Download