Overview

overview

8

Static

static

7

17e9b81f37...0N.exe

windows7-x64

8

17e9b81f37...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    15/07/2024, 21:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    17e9b81f37a50c27d3ac50d62f572fd0N.exe

  • Size

    256KB

  • MD5

    17e9b81f37a50c27d3ac50d62f572fd0

  • SHA1

    b8e2fe4cbe6db491f30a8f6f3c599ed8b9a0afe5

  • SHA256

    334f161204a67302840feb8ec90c19573a3363930f7b091617f3fe87fde01785

  • SHA512

    4606c56d57a8203da9b6d7f9709f5049137ef7d9f7069f76db0a8dbe56604c95cccf6294b11abbac2eca3227c235c5795535339d5adf553f3f33303ba610c15e

  • SSDEEP

    6144:dDLQxoyQ1LpnFyZ+dayL9rvolH8u3ZhGod:dQCyQ1LHk+zR7QHjGo

Score
8/10
persistencevmprotect

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\17e9b81f37a50c27d3ac50d62f572fd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\17e9b81f37a50c27d3ac50d62f572fd0N.exe"
    1⤵
    • Drops file in Drivers directory
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2664
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\yyyy.bat
      2⤵
      • Deletes itself
      PID:2572
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
      PID:1964

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\yyyy
            Filesize

            256KB

            MD5

            5b4f985d38519ef07e2559a23598c60b

            SHA1

            477628e1db3ad6b20fa4c522ff38e94976899b6d

            SHA256

            9c707253fd968a5d1f99c128d18058ec4a04f613e70bc4389ccab99d191ddab0

            SHA512

            63e7eeb91c36087771851222fff2c90656dcf57599214454d72833fa9acd02bf112e22b2a81418d1a96f7c27f78055d62e35ab5c7e6a77860d55673c5c7238dd

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\yyyy.bat
            Filesize

            337B

            MD5

            aa1c4c00566567676979c72fea1b3e17

            SHA1

            77547f511fa2bbfcc522101c5c65c22c635686ba

            SHA256

            5e0f86a760a93c3bf48b7d5cd5ec1bba4cdcbb6a7a700821de23b16b64a15d35

            SHA512

            4d34045c6d6403f96b489e52ad11bb8bd0541d34f5ac9785864ccf90e026a0def725e6e540e7b33e76d4e567de014cd3a649e0cbba5234fc86387cc4bfce1ee3

            Download Submit

          • C:\Windows\System32\drivers\etc\hosts
            Filesize

            2KB

            MD5

            a1d921556cf3a3d9d26b2ef002a7f87e

            SHA1

            6d35761aa3c8d24ab25db1d6a6e8a964bebd7121

            SHA256

            be7dfb47e11615f6b0cda24d8d568fccb6cea492112f723b8784ee26cbe5d309

            SHA512

            282607c9fc123c57dff829e728c4b08fe7fa27a130903907856127c9aec7d7f2c83c8e6d812208291c495cf25af195404d9010391cf53fcd12f2647475acc049

            Download Submit

          • memory/2664-24-0x0000000004220000-0x0000000004230000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3040-2-0x0000000000400000-0x000000000048C000-memory.dmp

            Filesize

            560KB

            Download

          • memory/3040-0-0x0000000000400000-0x000000000048C000-memory.dmp

            Filesize

            560KB

            Download

          • memory/3040-19-0x0000000000400000-0x000000000048C000-memory.dmp

            Filesize

            560KB

            Download