d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f

Analysis

max time kernel
41s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 21:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f.exe
Size

29KB
MD5

0450a6c65908290d66a9f050b9eac80c
SHA1

be2f9e4bf4ede8806bcd27373fbe7f837023ad4b
SHA256

d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f
SHA512

8c2bf5ad21e2602a01802a3ecd88ca1897b505832dd18998f48958a175d81a08efa5c821722dd7c65cf92836c58f453b4f567439c50565eb776f3f227ebc7384
SSDEEP

768:kqzUBKzyXmJnHyAtKzCIztwLZ/5bu7O5T:RUBIyCnHgz3BSn5T

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1052	NTdHcP.exe

Deletes itself 1 IoCs

pid	Process
1528	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f.exe
2036	d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NTdHcP.exe	d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f.exe
File opened for modification	C:\Windows\SysWOW64\NTdHcP.exe	d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f.exe
File opened for modification	C:\Windows\SysWOW64\NTdHcP.exe	NTdHcP.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Deleteme.bat	d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1052	2036	d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f.exe	26
PID 2036 wrote to memory of 1052	2036	d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f.exe	26
PID 2036 wrote to memory of 1052	2036	d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f.exe	26
PID 2036 wrote to memory of 1052	2036	d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f.exe	26
PID 2036 wrote to memory of 1528	2036	d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f.exe	27
PID 2036 wrote to memory of 1528	2036	d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f.exe	27
PID 2036 wrote to memory of 1528	2036	d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f.exe	27
PID 2036 wrote to memory of 1528	2036	d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f.exe	27

C:\Users\Admin\AppData\Local\Temp\d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f.exe
"C:\Users\Admin\AppData\Local\Temp\d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\NTdHcP.exe
  C:\Windows\system32\NTdHcP.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\Deleteme.bat
  2⤵
  - Deletes itself
  PID:1528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Deleteme.bat

Filesize
248B

MD5
5937acf51ce7a138ac165632a2cb9446

SHA1
98a703087b718d53b9fa80ac9e2a736ea9fea55d

SHA256
c7dd3cc7d0cae9ec859391f2d9e85e5c3ce35f3a9c098a8eee0486011d055e6a

SHA512
f8d0ddb6ac3d1926f379727de5057de997092b93910262d937988ec52b52adbf957a3cb6eed293bb265ffd4aa2e10f5975580f8f67709c9ae55a67d2e5f1e09a

Download Submit
C:\Windows\SysWOW64\NTdHcP.exe

Filesize
29KB

MD5
0450a6c65908290d66a9f050b9eac80c

SHA1
be2f9e4bf4ede8806bcd27373fbe7f837023ad4b

SHA256
d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f

SHA512
8c2bf5ad21e2602a01802a3ecd88ca1897b505832dd18998f48958a175d81a08efa5c821722dd7c65cf92836c58f453b4f567439c50565eb776f3f227ebc7384

Download Submit
C:\Windows\SysWOW64\NTdHcP.exe

Filesize
29KB

MD5
0450a6c65908290d66a9f050b9eac80c

SHA1
be2f9e4bf4ede8806bcd27373fbe7f837023ad4b

SHA256
d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f

SHA512
8c2bf5ad21e2602a01802a3ecd88ca1897b505832dd18998f48958a175d81a08efa5c821722dd7c65cf92836c58f453b4f567439c50565eb776f3f227ebc7384

Download Submit
\Windows\SysWOW64\NTdHcP.exe

Filesize
29KB

MD5
0450a6c65908290d66a9f050b9eac80c

SHA1
be2f9e4bf4ede8806bcd27373fbe7f837023ad4b

SHA256
d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f

SHA512
8c2bf5ad21e2602a01802a3ecd88ca1897b505832dd18998f48958a175d81a08efa5c821722dd7c65cf92836c58f453b4f567439c50565eb776f3f227ebc7384

Download Submit
\Windows\SysWOW64\NTdHcP.exe

Filesize
29KB

MD5
0450a6c65908290d66a9f050b9eac80c

SHA1
be2f9e4bf4ede8806bcd27373fbe7f837023ad4b

SHA256
d460e773b6e7723270eccb98fdf723ac884380bdb3bc52c8e132efeea3f1524f

SHA512
8c2bf5ad21e2602a01802a3ecd88ca1897b505832dd18998f48958a175d81a08efa5c821722dd7c65cf92836c58f453b4f567439c50565eb776f3f227ebc7384

Download Submit
memory/1052-63-0x0000000000400000-0x000000000041D200-memory.dmp

Filesize
116KB

Download
memory/2036-54-0x0000000000400000-0x000000000041D200-memory.dmp

Filesize
116KB

Download
memory/2036-56-0x0000000000400000-0x000000000041D200-memory.dmp

Filesize
116KB

Download
memory/2036-57-0x0000000000220000-0x000000000023E000-memory.dmp

Filesize
120KB

Download
memory/2036-65-0x0000000000400000-0x000000000041D200-memory.dmp

Filesize
116KB

Download