Overview

overview

10

Static

static

1

7c98ca8214...0N.exe

windows7-x64

10

7c98ca8214...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/08/2024, 06:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c98ca821480f4152d9e9cd6d92b8c40N.exe

  • Size

    244KB

  • MD5

    7c98ca821480f4152d9e9cd6d92b8c40

  • SHA1

    fceb685c57d861376f0a4b5a0acb758a796f1f31

  • SHA256

    eb6d4170d83f3e3a505263511b775c5857a6f56d95432ac0195ca13c5885877f

  • SHA512

    dbf9ed6925922c8958163db85d22dad0c1be4b0b4fd873c5090c0b84f7454b2ded4c88d8820d393549bdf2ce9370fed573b0a4a4dfbea361158fd0493832b9d2

  • SSDEEP

    6144:REXlSylvFuWaS54hIAv/QhuA7HY8pPZ0FP6BzxM5EmX:CAylvv5YRwh9HYd61xhmX

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c98ca821480f4152d9e9cd6d92b8c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\7c98ca821480f4152d9e9cd6d92b8c40N.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3740
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4200
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 816
        3⤵
        • Program crash
        PID:1304
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4200 -ip 4200
    1⤵
      PID:4336
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
      1⤵
        PID:4348

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\apppatch\svchost.exe
        Filesize

        244KB

        MD5

        f423b1bdc032198674aabc7fb5d51dab

        SHA1

        37c62f373d0738460921504f5860426e39952885

        SHA256

        681f141260795c9c42fbc80ed0919e1ccc81a8c98331ecaf567b140d0fa20f27

        SHA512

        99af2fa2b9d42d25ba42c362db886da2bf7d02ab228892f7fb4cea0d210589730c4f466682d77f05d9fbc7e9c09d230e70972ca9125a661666baa79d36a1b493

        Download Submit

      • memory/3740-0-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/3740-1-0x0000000002080000-0x00000000020E8000-memory.dmp

        Filesize

        416KB

        Download

      • memory/3740-2-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/3740-12-0x0000000002080000-0x00000000020E8000-memory.dmp

        Filesize

        416KB

        Download

      • memory/3740-14-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/4200-16-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/4200-15-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/4200-17-0x00000000027A0000-0x00000000027EA000-memory.dmp

        Filesize

        296KB

        Download

      • memory/4200-18-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/4200-19-0x0000000002B40000-0x0000000002B98000-memory.dmp

        Filesize

        352KB

        Download

      • memory/4200-23-0x0000000002B40000-0x0000000002B98000-memory.dmp

        Filesize

        352KB

        Download

      • memory/4200-21-0x0000000002B40000-0x0000000002B98000-memory.dmp

        Filesize

        352KB

        Download

      • memory/4200-26-0x0000000002B40000-0x0000000002B98000-memory.dmp

        Filesize

        352KB

        Download