Overview

overview

7

Static

static

3

6f9fcdf305...dc.exe

windows7-x64

7

6f9fcdf305...dc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f9fcdf305954ce3df1e87806efd915d469df15cfb38a843d6550ddc819189dc.exe

  • Size

    936KB

  • MD5

    00f1134ac30c0f5fc7394d3c5115430f

  • SHA1

    01d262ab5e765a4c80c8b015055c91fc2ce944a3

  • SHA256

    6f9fcdf305954ce3df1e87806efd915d469df15cfb38a843d6550ddc819189dc

  • SHA512

    3b88134012fefafb992a239381226698832d5290623879c94797c97d7891ad8c1936238ac268a38f5dadff5e0bd6b936b312c57c7891316fa242850a878f77b7

  • SSDEEP

    12288:pCoVUa6kt9k13IJmTQil+zNAfZb2hkMd4UyDebmmYfTJSgnqivM4+a3K8Q/K1P6Q:MU19kRImAzWb2hk+yWmmWdnqi5GW+pn4

Score
7/10
execution

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f9fcdf305954ce3df1e87806efd915d469df15cfb38a843d6550ddc819189dc.exe
    "C:\Users\Admin\AppData\Local\Temp\6f9fcdf305954ce3df1e87806efd915d469df15cfb38a843d6550ddc819189dc.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Nlyuypcnhupxytki.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\putty.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2748
    • C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
      C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_Nlyuypcnhupxytki.vbs
    Filesize

    173B

    MD5

    88d229354c4065c2b2834e43e225457b

    SHA1

    cf08a692294c27053a643a8e0f44fcc1badb6c91

    SHA256

    b9a524175681990f2f7787c4d29f2adfe7f1baec47beb1e5a2de6787cc039fd2

    SHA512

    ff240b7f654f9ecb5ca4c1a316be6f6e49ecfe94b3c52cad144440a5138de51051c69af13418b15e3f5dec0977e484bbeb468cf8a770b85be49c3da68a7af7c7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    61f8e76370a7adf164c17de71d368284

    SHA1

    c0dc6dbc87dbcae927f74400f67e5c1586d20bfd

    SHA256

    3a439d6d887d9a60f8b8f5f81b46be13234714b4c9f6ddecd54747c8748f66a1

    SHA512

    b78e6a78e8828e39461ccc16aaa5f2e1ab9a8dbca57d997774d0429faf062ed1922a542b5234627e93057ee49c2f3b2f28bd9d8bd90b71aa6b596366c92b8bb7

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MSBuild.exe
    Filesize

    252KB

    MD5

    c2bb03fef1d363c37b42af77fdb1a0ea

    SHA1

    541cfa640e20cfd3601ba8d0de9a04906614f1df

    SHA256

    ee2dbfacdb12b684b8305fb4070c210f8422d9e2909c1fec1f800bb78148f552

    SHA512

    0f4a2466dd4ff7824a3accbe9cd95cc285965d0be58b718e1937f4dee0b6719b3a4c3590c129d437232d4b651ef182dfa1fb771bd4b411958e638065dc3a5d58

    Download Submit

  • memory/860-28-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/860-1-0x0000000001070000-0x000000000115E000-memory.dmp

    Filesize

    952KB

    Download

  • memory/860-2-0x000007FEF60D3000-0x000007FEF60D4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/860-3-0x000000001BA90000-0x000000001BB60000-memory.dmp

    Filesize

    832KB

    Download

  • memory/860-10-0x000000001C7B0000-0x000000001C82C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/860-473-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/860-0-0x000007FEF60D3000-0x000007FEF60D4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2748-30-0x0000000002490000-0x0000000002498000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2748-29-0x000000001B330000-0x000000001B612000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2868-46-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-80-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-23-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2868-19-0x0000000140000000-0x0000000140070000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2868-36-0x000000001ABC0000-0x000000001AC48000-memory.dmp

    Filesize

    544KB

    Download

  • memory/2868-37-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-38-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-40-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-42-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-44-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-70-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-72-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-21-0x0000000140000000-0x0000000140070000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2868-68-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-91-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-88-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-86-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-84-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-82-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-24-0x0000000140000000-0x0000000140070000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2868-78-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-76-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-74-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-66-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-64-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-63-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-60-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-58-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-57-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-54-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-52-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-50-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-48-0x000000001ABC0000-0x000000001AC44000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2868-17-0x0000000140000000-0x0000000140070000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2868-474-0x00000000022D0000-0x0000000002322000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2868-475-0x00000000008A0000-0x00000000008AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2868-476-0x000000001B430000-0x000000001B484000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2868-477-0x000000001BE60000-0x000000001BEAC000-memory.dmp

    Filesize

    304KB

    Download