Overview

overview

8

Static

static

3

271aa013b7...bc.exe

windows7-x64

8

271aa013b7...bc.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 08:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    271aa013b7689e38eb76cead1f94936c13f0c528980b09b3450ee4e72f457cbc.exe

  • Size

    80KB

  • MD5

    73e91b1ab6d5a198be59978c1d8a4e78

  • SHA1

    c5b2d5036fc1531ed367cdff3f6c1feab1e72feb

  • SHA256

    271aa013b7689e38eb76cead1f94936c13f0c528980b09b3450ee4e72f457cbc

  • SHA512

    18bce3147e442b9655ec875cecf763081aae4e60c65642c8f53c884fd244553a4284163d05eabe353a660883a2231b647a21d1bc3381276a914bd619a226dab8

  • SSDEEP

    768:78QXvyTFpHrP/58ByHA/oEraNsNHPkUfb+uTld9woHBX4QXsFwAbF1PGCwwtIa:BKFF358KAAErO4PrquZwor/4+Cf6

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\271aa013b7689e38eb76cead1f94936c13f0c528980b09b3450ee4e72f457cbc.exe
    "C:\Users\Admin\AppData\Local\Temp\271aa013b7689e38eb76cead1f94936c13f0c528980b09b3450ee4e72f457cbc.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\mfxixue.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:3888
      • C:\Windows\Tasks\csrss.exe
        C:\Windows\Tasks\csrss.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        PID:5036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PerfLogs\wsock32.dll
    Filesize

    15KB

    MD5

    dead113140d0686a7d7feba99e884258

    SHA1

    47289ad8994a2d7a26c8b675a8d273683fc33452

    SHA256

    4712b10f86fd235297ccf236a2321bd0e82e65f98bdb7abb30d748cb6b54a221

    SHA512

    4a71779dc868aad54d3227ef5f783bd4a5cd60e3dffeb50f8b5325b43b24b2fb92b8ce0b4b09490dd050ac7560d4c485575e5142c95f8d67ebe224b0cf9475e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\JcI5AdeJKJ.pif
    Filesize

    88B

    MD5

    bcd8edb015ddc9e31e8e1b4657c3df43

    SHA1

    d320e044bc0ed73e557a885a1a47714b8c85200e

    SHA256

    37646c67c0e8429e6fbfc56678a20fd311cb48d0cb19bb5097078968f0673f37

    SHA512

    2a1497b35930c516a0f5bf75be460eff986b08d2ed0331dd702be5533b88198a59a41f39252809ef83b455bcf4d07ab0d9723494e8008a9578d0509a643cd6cc

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    912B

    MD5

    48ec95bacc8186d72cce11b9584faeb7

    SHA1

    0a6900de60be125b545d36a55f56bd0f7db18d32

    SHA256

    402d34fd239a2ecdc35929964d2ba2b8094fc601cee519955734994c67d3d79c

    SHA512

    42115db0a178b8ff4f80d932b1c716724f52159c9e00cab154c6b984bbc1a726947c560cf74821a49876b7d9fa491791e5a5ce5a6e3545ee6fd7c5a0bfc6873d

    Download Submit

  • C:\Windows\Tasks\csrss.exe
    Filesize

    80KB

    MD5

    4a13f3bb778f7f2eba62f21a78902b4c

    SHA1

    26d01de427a25643eaf762283960860af0bb66af

    SHA256

    3107209e838a18074282445c086c9c6f06ebf82d067de22378c75acce7aa0a49

    SHA512

    127eec36429019662c9b1aa6cb9ad75c547d1523b729eccf296cc4964e0d4ed9d222d1819cb0dc4b51df49eae678cd15a143903b3cbe64a1aa52f66adde7fb7c

    Download Submit

  • C:\Windows\Tasks\hackshen.vbs
    Filesize

    97B

    MD5

    a8c57eab4925bb4ad48cbabba42746e0

    SHA1

    f9fa7820051d33dadb862777fffd9714517e086d

    SHA256

    bc37a3b40be7e73055684637731ac8514e7ec9a32fd470eb73c71fd8600dba51

    SHA512

    d03022e7dee4f2121c41fa4fc236147cc79dfd8006630e6cb3ac84b1f732015fc957dd27df94fc5e28bc144b932e297f783edf009cd2b55b9fd25529f07e0ec6

    Download Submit

  • \??\c:\mfxixue.bat
    Filesize

    163B

    MD5

    9778810ad3491466374117f3630150b5

    SHA1

    288b5a8dbfc0830c17bbbea1ea0097781116d7fe

    SHA256

    a703afbf3c99934feda32706444d39805bc21d96d6baf03779c867259aa445d2

    SHA512

    41afbf47eed5a980e1c366281f6ea8dda606826a99f94ff8506ab4b937f00a05f778d1cdb6a8ff3d3acc30823809b3643b2df555832febdf39627f659b7f52fa

    Download Submit

  • memory/4968-0-0x0000000000400000-0x000000000041308C-memory.dmp

    Filesize

    76KB

    Download

  • memory/4968-4-0x0000000000400000-0x000000000041308C-memory.dmp

    Filesize

    76KB

    Download

  • memory/5036-15-0x0000000000400000-0x000000000041308C-memory.dmp

    Filesize

    76KB

    Download