Overview

overview

7

Static

static

3

1ae0608c4c...0N.exe

windows7-x64

7

1ae0608c4c...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    17/08/2024, 13:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1ae0608c4c92bdd30f927cf2d2f20690N.exe

  • Size

    11KB

  • MD5

    1ae0608c4c92bdd30f927cf2d2f20690

  • SHA1

    abf6c37867990af001c9a6d3f9ef289ca9587326

  • SHA256

    82c94876f4751dfd47f670099da3957333dd437eca805ab25059937a44b21f75

  • SHA512

    7784b0b156ecaa5659ad86f3eb9547f78d67265a9b2815e93edcecf464bc2c5f7ec728b156b3c943781579e829d138e38b81635b8cfcbdb203314c16bf93d148

  • SSDEEP

    192:Zg6eHLE5KxkDpnqKjIdtaCRYvRtCk1rE1Ty68A3CuYYpZ7E:G6eHIAx0pqNgHvRtoyhASuYYpZ7E

Score
7/10
discoveryevasionpersistencetrojan

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ae0608c4c92bdd30f927cf2d2f20690N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ae0608c4c92bdd30f927cf2d2f20690N.exe"
    1⤵
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\TCOSP.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "xplorer" /t REG_SZ /d "C:\Windows\xplorer\xplorer.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2748
    • C:\Windows\xplorer\xplorer.exe
      "C:\Windows\xplorer\xplorer.exe"
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2584

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\TCOSP.bat
          Filesize

          124B

          MD5

          4e6e99d38b1264af2b53a68c7cd6d648

          SHA1

          55ffe17732d1d9c539d702a1311ef9674fe7b3cf

          SHA256

          168d9cdf4849fde3b4817db207e60934b6c877be439289f3fb3a4eb9e4326ff0

          SHA512

          bde21abed1bfc3dbdd6afc83614aa27c3f33dfbb434e139523ac57ecd84875b0e96a241f5828eda0b055f787ec7f95850b0f4ab0ee752ac36484b2bfd78a859d

          Download Submit

        • \Windows\xplorer\xplorer.exe
          Filesize

          11KB

          MD5

          63042b3af04803c7eaf540db5eec6a0e

          SHA1

          247a723addfc050b94fbc46c176746b128abb52c

          SHA256

          8cb46460b309ec08511fb95cd89e23bc61526813d7747786a90114657b481288

          SHA512

          374462d42204e4ee8b6f751d6983801bc6bd75b47421cc80dc5431580032aa7ac4566f9e4f5c68d42fe794734e4737cdf433cdc34b80839c207943da7b79d815

          Download Submit

        • memory/2584-45-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2584-54-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2772-41-0x00000000030C0000-0x00000000030C9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2772-42-0x00000000030C0000-0x00000000030C9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2772-0-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2772-32-0x00000000030B0000-0x00000000030B9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2772-43-0x00000000030C0000-0x00000000030C9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2772-48-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2772-49-0x00000000030B0000-0x00000000030B9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2772-50-0x00000000030C0000-0x00000000030C9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2772-51-0x00000000030C0000-0x00000000030C9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2772-52-0x00000000030C0000-0x00000000030C9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2772-27-0x00000000030B0000-0x00000000030B9000-memory.dmp

          Filesize

          36KB

          Download