Overview

overview

10

Static

static

1

4c71a700f5...2N.exe

windows7-x64

10

4c71a700f5...2N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 16:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c71a700f5ce3e4e0c1373a356307538df8ce4112eac9df643a8f27c0d9694f2N.exe

  • Size

    150KB

  • MD5

    1edd9fefd273e84373cfa1a1aed70150

  • SHA1

    af7e8b870b6793b173d0508db6b31363c8fde15e

  • SHA256

    4c71a700f5ce3e4e0c1373a356307538df8ce4112eac9df643a8f27c0d9694f2

  • SHA512

    8cd0158cee08a6e090f45b864c476914f442beb8a05584e91e46d49d69fc7c239b5b3f858a73be0e74b92f8df713ccb0fda3bc68cadd0a129e03a207f46787e8

  • SSDEEP

    3072:TuuczBGY3j4nLXhfRf70MCRRb85TFcMo7xQGHMOfAVTzXW:TlcEY3iLXXgvRG5TFZoFQaMrHX

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c71a700f5ce3e4e0c1373a356307538df8ce4112eac9df643a8f27c0d9694f2N.exe
    "C:\Users\Admin\AppData\Local\Temp\4c71a700f5ce3e4e0c1373a356307538df8ce4112eac9df643a8f27c0d9694f2N.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\apppatch\svchost.exe
    Filesize

    150KB

    MD5

    1dd86c39ffb08af1fb1d0a9615bbd69d

    SHA1

    69243b0f5d8b8e6eecc6b84c6eddd67d6aac6c5b

    SHA256

    9e8cceb86b0329d343cdcb05ff5e3f0857728f5b528a6726de4d562c986256bc

    SHA512

    c99368c854123fbde495fb64d988dab16d76ea7e80e92273a3c1a4e68d989a997e4f5fbe86d66947c533afe6e20ee02f3aff26c8f12d9aacebc3188649f1d76c

    Download Submit

  • memory/2948-13-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2948-1-0x0000000002190000-0x00000000021C9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2948-2-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2948-0-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2948-15-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2948-14-0x0000000002190000-0x00000000021C9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4600-16-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/4600-12-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/4600-17-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/4600-18-0x0000000002730000-0x0000000002776000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4600-19-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/4600-20-0x0000000002B00000-0x0000000002B4A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/4600-22-0x0000000002B00000-0x0000000002B4A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/4600-24-0x0000000002B00000-0x0000000002B4A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/4600-27-0x0000000002B00000-0x0000000002B4A000-memory.dmp

    Filesize

    296KB

    Download