Overview

overview

10

Static

static

3

d21f9a270a...24.exe

windows7-x64

10

d21f9a270a...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 22:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d21f9a270aa132c5f20ef653b538a1ae7af898cc6561ae7ad5bfe0a3bc6bee24.exe

  • Size

    7.0MB

  • MD5

    6359a8f8d4aff1c1ece7bf4275e4cd8c

  • SHA1

    94558e515510cec7359062b5b5ad8e368c6bd1d5

  • SHA256

    d21f9a270aa132c5f20ef653b538a1ae7af898cc6561ae7ad5bfe0a3bc6bee24

  • SHA512

    b6d6cc2e4086f5e6c2ae72941642666e39f68b2bd5ab06b6f10565ee9552b4754972a4b45fd3207feac8b2bb1ed751d6b915bfdc6a3e00124f723674db6b3d5b

  • SSDEEP

    196608:gmTmdmTmdmTmdmTmdmTmdmTmdmTmdmTmdmTmdmTmdmTmdmEmdmTmdmTmdmTmdmTB:U

Score
10/10
defense_evasiondiscoveryevasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 6 IoCs
    persistence
  • Executes dropped EXE 6 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d21f9a270aa132c5f20ef653b538a1ae7af898cc6561ae7ad5bfe0a3bc6bee24.exe
    "C:\Users\Admin\AppData\Local\Temp\d21f9a270aa132c5f20ef653b538a1ae7af898cc6561ae7ad5bfe0a3bc6bee24.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Impair Defenses: Safe Mode Boot
      • System Location Discovery: System Language Discovery
      • Modifies registry key
      PID:2904
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2640
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3040
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:920
          • C:\Users\Admin\AppData\Local\Temp\avscan.exe
            C:\Users\Admin\AppData\Local\Temp\avscan.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1372
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\windows\W_X_C.bat
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2648
            • C:\windows\hosts.exe
              C:\windows\hosts.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2796
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
              6⤵
              • Adds policy Run key to start application
              • System Location Discovery: System Language Discovery
              PID:2424
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2104
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1936
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1624
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2368
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2944
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2152
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1672
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1760
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1052
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:572
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    14.0MB

    MD5

    dc46e96886290dab50e0697da3d4f5fc

    SHA1

    f9503255ace87c71dd7f4fee48c1a95d62d51599

    SHA256

    d5c7058968706118d3621da9fcd964e76e10321584033018da413aa6c77bce09

    SHA512

    1783474019fd521890e453d512901d0c3558ade3fcaf6fd6dc6b0fc1b193d85bbd438505aafb990a098010f9e843647bb953bae1051aeac8996a360e6c93888b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    27.9MB

    MD5

    c05fdf415ecdef7475c67ae3929fb230

    SHA1

    d3c62087742bc60cb5895fbf8caf36019e9d7be0

    SHA256

    378877233283dd26086a4d01baa1dbe1b5a519c146fef6e9ad2d06d0f455d3b7

    SHA512

    e84bf78d356ea251fac16be625b06143db1b782b7edf0935020393311952a1e71d75f5cb9e2d0811424c6d27d358793de8152c47732cdeb5ffd4b4b66725368b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    27.9MB

    MD5

    6f0c798b90b45cf76e053376268af047

    SHA1

    435eeac1eec0805f9bb8a037fbe00e2be961114c

    SHA256

    ac251c2ba3d752aa089c69d2fa96e3bab8366c2c5bb9fb15ec09a5854d4f7ef6

    SHA512

    8b4415591ce5f5ac992af3cac42c071eddd5b4e1cd0f7ef2d3686cb8552d52b6bc10c127675011db0a553d2b01a49f3e53a38f0ec3bc148082bdba880929f0bd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    34.9MB

    MD5

    ce2b75f7536309cc5b405c736bd76b7a

    SHA1

    eaf30c98ec9f9f799c2134991a20a482ec78d158

    SHA256

    59a20ac488191b18e151527945bce0f7e05d143ce446615e221f60968b8c3df5

    SHA512

    db4202948337b4e3c4a123f6a835a6b98a745b34f871cda20bc78b6744827a88e2bc4bbeaf183df0ef0699591490fedce9e5976f98aef240cd4ed2aeac5a0853

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    41.9MB

    MD5

    451ddedc43f4bd9b98a683f1f5b4b7a7

    SHA1

    4819af66037ba88ce6fccb8bf0cd6b90fb5ca94f

    SHA256

    d4fbf98cd3737fc635b85f7af6d43371ff079b2caa1bef23407620963e79c6e9

    SHA512

    9a402de03862fede6a8817ba2a9028916b3eef66df454103dc7de759745bf0069a4b18c5c95fe68b4a5c01bf8665e27e4e5f98568e9de1ecfda021384fdd592b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    48.9MB

    MD5

    1220ea0b647650b339e42ccb1fe080ce

    SHA1

    727b43bac32fa193d573ab673043b09ccabafdeb

    SHA256

    a7ee560607f691a7b938273288c97b19be882a98de82ac14bc47959dd77eb516

    SHA512

    f953e63c460b3b25247a9f1961bb7a5b48de3aeb49acd31a191ae1ef053d46929fc6e463ca0f0066da9e39a317243731c8b223f6d297a3af489a04246bd688be

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    55.8MB

    MD5

    2af8c044a597b8507938504069091ee9

    SHA1

    082248fb0818ad9b02424a629e55f5ba86cd1907

    SHA256

    d3d9b03369ae4127fe8b25a734ceaeba9501694ead06efe75ceba2bd648dafe0

    SHA512

    bd6986c68f68a1bbd9302779e00824095a4a92151ac1d36961b3023feaa76db34b7e0db70aa14a41003ad2502b6ae92ad34166770b49847af01c1e69afb48a89

    Download Submit

  • C:\Windows\W_X_C.vbs
    Filesize

    195B

    MD5

    28dfeacd65a1d18db1eb778b04481907

    SHA1

    db5b63dd0760b563ac10c0f412f4ba191480a332

    SHA256

    4e8db376bd9d764d2f22c5464c978dcb9684b6cd4cdbfbf74accfdc4db55585b

    SHA512

    fa7414be098a842e776b55db126a836158f3aaf59e46a49d01fb7a47af7eeda7d3e70102ac3609d784cec0a692584dbd62866de7cd1ab4bd71737abea9eb62f0

    Download Submit

  • C:\Windows\hosts.exe
    Filesize

    7.0MB

    MD5

    efe5130c56594a707ab607071806c1cb

    SHA1

    e5d31d4f6556abed060eaf7842e2a1fb134a72aa

    SHA256

    712ce030188fd419562a2d8bdae46eac3a49ad493d97487196222a3ceabec1c9

    SHA512

    20b2b25df3c57e3dbf5312b64ced4536d1a08c8bb16fa2ce9a62842351dd2730266840c2249aa116c9633852f5846a45030d16549736f7ab1aba6fad373fef7e

    Download Submit

  • \??\c:\windows\W_X_C.bat
    Filesize

    336B

    MD5

    4db9f8b6175722b62ececeeeba1ce307

    SHA1

    3b3ba8414706e72a6fa19e884a97b87609e11e47

    SHA256

    d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

    SHA512

    1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\avscan.exe
    Filesize

    7.0MB

    MD5

    591190ff75c5d8569757b410f6913b3f

    SHA1

    19203f2d402ad73c8700b29f1ae3ff2eaee49a75

    SHA256

    1d88c20db2564204123620e8e37575f61e49cd4f6071b0c07fbd0eb555167ec6

    SHA512

    3165fe216a532a0abe7dcac5888d1c69070f5730da2c79b88f223dfe259af95c956cdc70bc5e41970fc953a3e21a5c065573f59d02234dd85e38d95dfd005d3f

    Download Submit

  • memory/2796-77-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download