Overview

overview

8

Static

static

5

64bb6aaca4...c5.exe

windows7-x64

8

64bb6aaca4...c5.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 01:42

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    64bb6aaca4c1ba6b5d4cfe771985587158a453288ef1da1c7cb084b90c3e7cc5.exe

  • Size

    909KB

  • MD5

    c49dd8107b3624f824efe4f88cb3f792

  • SHA1

    e195f4e8cba7bbb7096f165abd6564fb184c838b

  • SHA256

    64bb6aaca4c1ba6b5d4cfe771985587158a453288ef1da1c7cb084b90c3e7cc5

  • SHA512

    9aaeb4f1116be05a334519746ad3b1de7273e15e394b1e79f2dc54588625a22918e462a9bede050c78ce108714747d88bb0f07424ee985b25b2ad2beb17dd0b8

  • SSDEEP

    24576:SAHnh+eWsN3skA4RV1Hom2KXMmHacfmG5:Vh+ZkldoPK8Yacr

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64bb6aaca4c1ba6b5d4cfe771985587158a453288ef1da1c7cb084b90c3e7cc5.exe
    "C:\Users\Admin\AppData\Local\Temp\64bb6aaca4c1ba6b5d4cfe771985587158a453288ef1da1c7cb084b90c3e7cc5.exe"
    1⤵
    • Adds policy Run key to start application
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "%username%:(R,REA,RA)"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4916
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\ProgramData\NetWork /deny "Admin:(R,REA,RA)"
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:1004
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3392
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)"
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:4752
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4264
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:4924
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /cschtasks /create /tn "SrartupWindows" /tr "%ProgramData%\NetWork\This.exe" /sc minute /mo 10
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4456
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn "SrartupWindows" /tr "C:\ProgramData\NetWork\This.exe" /sc minute /mo 10
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2328

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads