Overview

overview

10

Static

static

3

02b6675eed...6N.exe

windows7-x64

02b6675eed...6N.exe

windows10-2004-x64

Analysis

  • max time kernel
    39s
  • max time network
    40s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 22:35

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    02b6675eedc6f5f6fa88bae5e331131c6900501e5b543ff16f839320f6d33cb6N.exe

  • Size

    234KB

  • MD5

    52388efef65151557e386d2829247b20

  • SHA1

    3258e556cd6e3b6a7941dbe3494c060b63448557

  • SHA256

    02b6675eedc6f5f6fa88bae5e331131c6900501e5b543ff16f839320f6d33cb6

  • SHA512

    dc829f5cdc3a8bf618aade862a3920bfc2e88146dd3d85d76e5cf4d36331ac43c6fc7944bd17178fc48fc97c013f9d1eb46c4e9a375c3b2f0708341e9cf4ee6f

  • SSDEEP

    384:PJG14lR/NpKAN+UJfo8vJh/7neuwyv3ZUKcreuDreuwyv3ZUKcreuDj:RFtFe8vJtDeunUreufeunUreuP

Score
10/10
defense_evasiondiscoveryevasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
    defense_evasion
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\02b6675eedc6f5f6fa88bae5e331131c6900501e5b543ff16f839320f6d33cb6N.exe
    "C:\Users\Admin\AppData\Local\Temp\02b6675eedc6f5f6fa88bae5e331131c6900501e5b543ff16f839320f6d33cb6N.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3728
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winsock.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +s "C:\Windows\system32\winsock.exe"
        3⤵
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2944
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winkernel32.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +s "C:\Windows\system32\winkernel32.exe"
        3⤵
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:5060
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c shutdown -r
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\shutdown.exe
        shutdown -r
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2268
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3925055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\winsock.exe
    Filesize

    258KB

    MD5

    f2e15b52a3cdc16e2e0a241e7b7af12b

    SHA1

    5fc354c6e2199d8178a7512ef16c56d2b87be372

    SHA256

    93becf493f79d3a981b1ecdb6d4cf8bd13dcf980ebc6a2dc8e4a27e01c2e8c1f

    SHA512

    61a155f138106fab98110fd8e204b9f33898fb25f32e46e1e60512a2a2a79fe5ce078f798db39db7ced47bfa411d681a7847768ab39a132ccaefd44d0786a740

    Download Submit

  • memory/3728-4-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download