Overview

overview

8

Static

static

7

b380a03634...3N.exe

windows7-x64

8

b380a03634...3N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    74s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 00:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b380a03634f1a81857979f8675002b90223749a97a2a79da3342d91fbf387613N.exe

  • Size

    256KB

  • MD5

    066eb137f43a2085e7eebd4ebf565f30

  • SHA1

    a8b207f68761ec12f886e9651b15fcda35a9ba20

  • SHA256

    b380a03634f1a81857979f8675002b90223749a97a2a79da3342d91fbf387613

  • SHA512

    e54484b9bc9782695fe9f13f26c8d1868ed6670ac26b7e61bb1ef8b47cf62c24071fd6f228263070ecb84261676d75b8ffe39a681ff2322509a7ae9c61c879a8

  • SSDEEP

    6144:uDLQxoyQ1LpnFyZ+dayL9rvolH8u3ZhGod:uQCyQ1LHk+zR7QHjGo

Score
8/10
discoverypersistencevmprotect

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b380a03634f1a81857979f8675002b90223749a97a2a79da3342d91fbf387613N.exe
    "C:\Users\Admin\AppData\Local\Temp\b380a03634f1a81857979f8675002b90223749a97a2a79da3342d91fbf387613N.exe"
    1⤵
    • Drops file in Drivers directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2596
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\yyyy.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:3068
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
      PID:2360

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\yyyy
      Filesize

      256KB

      MD5

      b76c89ff5e31a612becd58827782e7da

      SHA1

      4f5eb296636918a6b1e51d32d6c26a084248ab8e

      SHA256

      7bc3f7ad708f63c166856463a5491553f400190a85e58340a0d1a2ed02d7f4fb

      SHA512

      120aad91426569534fcb5dd8771768c431d2daaaaa0b3161f6cb7790a7be684267bc3887c2fdeca79fa48190bc8c1a58a6edddbc64146449513485c0540ed330

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\yyyy.bat
      Filesize

      337B

      MD5

      b8eee9ce61edae96b8e83c3430933d8d

      SHA1

      e0ae73b84f4c7a023eb3cc35ecd8e0ceb4b9197f

      SHA256

      ff25781a71afad4fd8f6bf0b9f8aedbbd2ed50647370ba8916e36636e284c6ee

      SHA512

      45aa59e0e651433f1342de3f82502312312226cf9a9883b168d68e46506ca50f2abcf7c7bc3464beb21c39fdd2b790c66fc192df3e3c0a8c15636b4d30aa0308

      Download Submit

    • C:\Windows\System32\drivers\etc\hosts
      Filesize

      2KB

      MD5

      a1d921556cf3a3d9d26b2ef002a7f87e

      SHA1

      6d35761aa3c8d24ab25db1d6a6e8a964bebd7121

      SHA256

      be7dfb47e11615f6b0cda24d8d568fccb6cea492112f723b8784ee26cbe5d309

      SHA512

      282607c9fc123c57dff829e728c4b08fe7fa27a130903907856127c9aec7d7f2c83c8e6d812208291c495cf25af195404d9010391cf53fcd12f2647475acc049

      Download Submit

    • memory/1688-0-0x0000000000400000-0x000000000048C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/1688-1-0x0000000000400000-0x000000000048C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/1688-19-0x0000000000400000-0x000000000048C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/2596-24-0x00000000044B0000-0x00000000044C0000-memory.dmp

      Filesize

      64KB

      Download