Analysis
-
max time kernel
51s -
max time network
55s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11-10-2022 15:07
Static task
static1
Behavioral task
behavioral1
Sample
2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570.exe
Resource
win10v2004-20220812-en
General
-
Target
2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570.exe
-
Size
316KB
-
MD5
007018cbce72ac57815c72c8bac76400
-
SHA1
a30d564e481d4e25f25ac24f115c04fd4a8c0ccd
-
SHA256
2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570
-
SHA512
d1c60cacbffc5c2008cd75be43252b3cb9fdb74e875bb61fbdd214ae039538ffe8be624f8e745343fed6aff65f17390e6d82c09d6a6efb0d26d8bd54a463fcd2
-
SSDEEP
6144:SribUzkuvcBYC47l2xLNaFmoKZLxtHU/TMDkW01eedmQb+xq:Sr7kuveY33FJUo7MDkA6f
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 1212 2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570.exe 1212 2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570.exe 1212 2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1212 2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570.exe"C:\Users\Admin\AppData\Local\Temp\2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1212
Network
-
Remote address:8.8.8.8:53Requestc1.downlloaddatamy.infoIN AResponse
-
Remote address:8.8.8.8:53Requestr1.getapplicationmy.infoIN AResponser1.getapplicationmy.infoIN A94.229.72.116
-
Remote address:8.8.8.8:53Requestc2.downlloaddatamy.infoIN AResponse
-
Remote address:8.8.8.8:53Requestr2.getapplicationmy.infoIN AResponser2.getapplicationmy.infoIN A94.229.72.115
-
94.229.72.116:80r1.getapplicationmy.info2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570.exe152 B 3
-
94.229.72.115:80r2.getapplicationmy.info2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570.exe152 B 3
-
8.8.8.8:53c1.downlloaddatamy.infodns2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570.exe69 B 148 B 1 1
DNS Request
c1.downlloaddatamy.info
-
8.8.8.8:53r1.getapplicationmy.infodns2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570.exe70 B 86 B 1 1
DNS Request
r1.getapplicationmy.info
DNS Response
94.229.72.116
-
8.8.8.8:53c2.downlloaddatamy.infodns2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570.exe69 B 148 B 1 1
DNS Request
c2.downlloaddatamy.info
-
8.8.8.8:53r2.getapplicationmy.infodns2973801d132eec1340ba7315df741c96a36af294af529f3a218fbadfc6902570.exe70 B 86 B 1 1
DNS Request
r2.getapplicationmy.info
DNS Response
94.229.72.115
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
269KB
MD5af7ce801c8471c5cd19b366333c153c4
SHA14267749d020a362edbd25434ad65f98b073581f1
SHA256cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e
SHA51288655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c
-
Filesize
91KB
MD5d2b596fa229e1b03704c9e9c3b4d4aa0
SHA119c57157c2e9b58037a7d2bca4909cbf125e9a23
SHA2561bf33578f57d6436e916cc0734e8adc66a0e3c7ca5de1290601a73e3e362419d
SHA5124e0d8ba8aea2c36ec79c86dcb6febe28ee0788d6a4d94231b5de10930e7fe0d285786bf6bfc3d85d8f1e83a4fb65f0f8a24e691c3298fce60ccef9a434a0d9c0
-
Filesize
173KB
MD5be16f8d320da824f0db58ef6d75c75c6
SHA19c3993bbfa92ca6d5dc2b2721716f5040bb22d82
SHA256a2879be2df754addca789fdd9d7d52dff21687414a2579ed8e05aaf9fb283822
SHA512bbe5e522f5ef988d2ff216a5afc16fd5ee39244839f4ec6382f77d70df1dfe11e35cfad1ec4446ff06849c04c1e681bf312a9ea9623f96eac9e0677bab7eb1f0