Analysis
-
max time kernel
98s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-04-2021 05:33
Static task
static1
Behavioral task
behavioral1
Sample
d60c34a516621348b92917e01675161a7d6c0b81ab30df97af8e9d659b119468.exe
Resource
win7v20210410
General
-
Target
d60c34a516621348b92917e01675161a7d6c0b81ab30df97af8e9d659b119468.exe
-
Size
200KB
-
MD5
a492dda14b06e37210725e1c6982416f
-
SHA1
8baf52a2e6776cfb48fd8821d439f10dbdb5f751
-
SHA256
d60c34a516621348b92917e01675161a7d6c0b81ab30df97af8e9d659b119468
-
SHA512
c7e242abb629100b20a8c0c7d0efbdad3deccbcc373a309084c75ce891148f93184b0e1862500f83a46e1f3c6f8e219e129ca99d4c9b81cf45508edb8561a90d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bdif.exepid process 1160 bdif.exe -
Loads dropped DLL 1 IoCs
Processes:
d60c34a516621348b92917e01675161a7d6c0b81ab30df97af8e9d659b119468.exepid process 1084 d60c34a516621348b92917e01675161a7d6c0b81ab30df97af8e9d659b119468.exe -
NTFS ADS 1 IoCs
Processes:
d60c34a516621348b92917e01675161a7d6c0b81ab30df97af8e9d659b119468.exedescription ioc process File created \??\c:\programdata\a043022f13\bdif.exe:Zone.Identifier d60c34a516621348b92917e01675161a7d6c0b81ab30df97af8e9d659b119468.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d60c34a516621348b92917e01675161a7d6c0b81ab30df97af8e9d659b119468.exebdif.exedescription pid process target process PID 1084 wrote to memory of 1160 1084 d60c34a516621348b92917e01675161a7d6c0b81ab30df97af8e9d659b119468.exe bdif.exe PID 1084 wrote to memory of 1160 1084 d60c34a516621348b92917e01675161a7d6c0b81ab30df97af8e9d659b119468.exe bdif.exe PID 1084 wrote to memory of 1160 1084 d60c34a516621348b92917e01675161a7d6c0b81ab30df97af8e9d659b119468.exe bdif.exe PID 1084 wrote to memory of 1160 1084 d60c34a516621348b92917e01675161a7d6c0b81ab30df97af8e9d659b119468.exe bdif.exe PID 1160 wrote to memory of 1500 1160 bdif.exe REG.exe PID 1160 wrote to memory of 1500 1160 bdif.exe REG.exe PID 1160 wrote to memory of 1500 1160 bdif.exe REG.exe PID 1160 wrote to memory of 1500 1160 bdif.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d60c34a516621348b92917e01675161a7d6c0b81ab30df97af8e9d659b119468.exe"C:\Users\Admin\AppData\Local\Temp\d60c34a516621348b92917e01675161a7d6c0b81ab30df97af8e9d659b119468.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
\??\c:\programdata\a043022f13\bdif.exec:\programdata\a043022f13\bdif.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\a043022f133⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\a043022f13\bdif.exeMD5
a492dda14b06e37210725e1c6982416f
SHA18baf52a2e6776cfb48fd8821d439f10dbdb5f751
SHA256d60c34a516621348b92917e01675161a7d6c0b81ab30df97af8e9d659b119468
SHA512c7e242abb629100b20a8c0c7d0efbdad3deccbcc373a309084c75ce891148f93184b0e1862500f83a46e1f3c6f8e219e129ca99d4c9b81cf45508edb8561a90d
-
C:\ProgramData\ad614a361b6a01b307b49efaeff97543MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\ProgramData\a043022f13\bdif.exeMD5
a492dda14b06e37210725e1c6982416f
SHA18baf52a2e6776cfb48fd8821d439f10dbdb5f751
SHA256d60c34a516621348b92917e01675161a7d6c0b81ab30df97af8e9d659b119468
SHA512c7e242abb629100b20a8c0c7d0efbdad3deccbcc373a309084c75ce891148f93184b0e1862500f83a46e1f3c6f8e219e129ca99d4c9b81cf45508edb8561a90d
-
memory/1084-60-0x0000000000260000-0x0000000000270000-memory.dmpFilesize
64KB
-
memory/1084-63-0x0000000075411000-0x0000000075413000-memory.dmpFilesize
8KB
-
memory/1084-64-0x0000000000270000-0x0000000000295000-memory.dmpFilesize
148KB
-
memory/1084-67-0x0000000000294000-0x0000000000295000-memory.dmpFilesize
4KB
-
memory/1084-71-0x0000000000250000-0x000000000025D000-memory.dmpFilesize
52KB
-
memory/1160-69-0x0000000000000000-mapping.dmp
-
memory/1160-76-0x0000000000270000-0x0000000000295000-memory.dmpFilesize
148KB
-
memory/1500-81-0x0000000000000000-mapping.dmp