Overview

overview

10

Static

static

3

96c7d1d5da...60.exe

windows7-x64

7

96c7d1d5da...60.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 01:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96c7d1d5dab0c8060f3220816e3e49461ef328643d520545ffc8aa05ddd76760.exe

  • Size

    1.6MB

  • MD5

    3e4461418de7a12e7951ccf51fe4d4d3

  • SHA1

    d7332419080c1a8eaef111439feb71bda300a1d3

  • SHA256

    96c7d1d5dab0c8060f3220816e3e49461ef328643d520545ffc8aa05ddd76760

  • SHA512

    b01982718c3f62059f086c3274f9f8d1c98bbb9bcc187bfa466b369d08818cd2fe06e0949256eddbfd6f26b3fd5428ea8008d49adf6f233282f08c8dce4e9553

  • SSDEEP

    24576:9sRgQPPLVkiouiRjaMkVRu9JS70cJscGh6U8mEGKacNpVAADNi5GeZTOjo:9sV3LGjpkVIJunw98mTKfVAyNioSTO

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3528
      • C:\Users\Admin\AppData\Local\Temp\96c7d1d5dab0c8060f3220816e3e49461ef328643d520545ffc8aa05ddd76760.exe
        "C:\Users\Admin\AppData\Local\Temp\96c7d1d5dab0c8060f3220816e3e49461ef328643d520545ffc8aa05ddd76760.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops startup file
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4588
      • C:\Users\Admin\AppData\Local\Temp\96c7d1d5dab0c8060f3220816e3e49461ef328643d520545ffc8aa05ddd76760.exe
        "C:\Users\Admin\AppData\Local\Temp\96c7d1d5dab0c8060f3220816e3e49461ef328643d520545ffc8aa05ddd76760.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2268
      • C:\Users\Admin\AppData\Roaming\Access\InnerException.exe
        "C:\Users\Admin\AppData\Roaming\Access\InnerException.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3280
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1092
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5624
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u KAS:kaspa:qqjn2sfatk0dmj0x47yns4xlyp3avwp46mhum864y5kc3hcrajwy7v5npvpn8.RIG_CPU -p x --cpu-max-threads-hint=50
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:2568
    • C:\Users\Admin\AppData\Roaming\Access\InnerException.exe
      C:\Users\Admin\AppData\Roaming\Access\InnerException.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:212

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Access\InnerException.exe
      Filesize

      1.6MB

      MD5

      3e4461418de7a12e7951ccf51fe4d4d3

      SHA1

      d7332419080c1a8eaef111439feb71bda300a1d3

      SHA256

      96c7d1d5dab0c8060f3220816e3e49461ef328643d520545ffc8aa05ddd76760

      SHA512

      b01982718c3f62059f086c3274f9f8d1c98bbb9bcc187bfa466b369d08818cd2fe06e0949256eddbfd6f26b3fd5428ea8008d49adf6f233282f08c8dce4e9553

      Download Submit

    • memory/212-6313-0x00007FFD77760000-0x00007FFD78221000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/212-5155-0x00007FFD77760000-0x00007FFD78221000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2268-1167-0x0000000000400000-0x00000000004D0000-memory.dmp

      Filesize

      832KB

      Download

    • memory/2268-1169-0x0000022999CB0000-0x0000022999CB8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2268-1170-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2268-1171-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2268-1172-0x00000229B2640000-0x00000229B274A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2268-5152-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2268-5148-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2268-5147-0x00000229B2750000-0x00000229B27A6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4588-32-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-18-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-62-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-59-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-57-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-54-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-53-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-50-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-46-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-82-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4588-60-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-42-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-40-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-36-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-34-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-66-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-30-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-28-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-24-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-22-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-20-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-65-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-16-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-12-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-10-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-8-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-7-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-26-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-14-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-4-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-3-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-1154-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4588-1156-0x0000029EDAD50000-0x0000029EDAD9C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4588-1155-0x0000029EDAC40000-0x0000029EDAD4E000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4588-48-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-44-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-38-0x0000029EDADC0000-0x0000029EDAF59000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-2-0x0000029EDADC0000-0x0000029EDAF60000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-1-0x0000029EC0640000-0x0000029EC07DE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4588-0-0x00007FFD78113000-0x00007FFD78115000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4588-1157-0x0000029EDAF60000-0x0000029EDAFB4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4588-1166-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4588-1163-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4588-1168-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

      Filesize

      10.8MB

      Download