Analysis
-
max time kernel
151s -
max time network
94s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-10-2022 17:37
Static task
static1
Behavioral task
behavioral1
Sample
2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
Resource
win10v2004-20220812-en
General
-
Target
2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
-
Size
74KB
-
MD5
7af2a4536f2383d82d15ec747f20cf96
-
SHA1
e8028181a0a93a1df105a8cc0e0dc629a1b5d376
-
SHA256
2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e
-
SHA512
2fd3472f5953c596b48fb6b9ae540d066891f92441b8a0302083720655a59a2c60a8405d463890188a1d5af3fda496f4f07501dc0fe29c4c781994a350d696f6
-
SSDEEP
1536:HJb7bstbnXgXSJJnxSWdXiF0x6KIiuLPjVtFi2eUNGPrbg0se:tObnISJtx7yBiUWlse
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1184 simc.tmp -
Loads dropped DLL 2 IoCs
pid Process 604 2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe 604 2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\FreeRapid\resv.bin 2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe File created C:\Program Files\FreeRapid\1.bat 2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe File created C:\Program Files\FreeRapid\2.bat 2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe File created C:\Program Files\FreeRapid\4.bat 2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\windows\Comres.dll simc.tmp -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A simc.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A\Blob = 03000000010000001400000068a12de4422589e97e1c6396fe17b5024fe0547a2000000001000000600200003082025c308201c5a0030201020210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405003036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d204732301e170d3131303531393134333632345a170d3339313233313233353935395a3036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d20473230819f300d06092a864886f70d010101050003818d0030818902818100ae2150b067d03ac307c1d6cfb294b8e57d1ec3335542584552a96b7926d1b95483aa79a52165c6c18b4aa502ca2f736d2ea84a299def604899f8a50b9932200c00a32c187fdfed2fb767783c1d6c27e55fee9aeb5d7b1085cb8fcc151bdebcdbecc5748cbb451b20f5ecd9e197c154e477d9d5d6a0cf8e9dabaf4e07fbf5f79f0203010001a36b306930670603551d010460305e80102128591d26a9fe32d38e84450f52f750a1383036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d2047328210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405000381810069c4dcd3b8649bd6c952a0251d6a645c98c3d94ba7a9945992ee06fdbc1d36c53f9e4c77f25f77b6ad4df7599089a7d68cf89221fc49fda540341c833f692ee6cdd740da4b599e9a902c325b2de32d3657d8cf1206883b2e8296ab9c1d4ef406603a138ce17b8ee0740c990c99774f63fe8f8d5bd35d35591d2a3d6675b49967 simc.tmp -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1184 simc.tmp -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeBackupPrivilege 1184 simc.tmp Token: SeRestorePrivilege 1184 simc.tmp -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 604 wrote to memory of 1184 604 2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe 29 PID 604 wrote to memory of 1184 604 2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe 29 PID 604 wrote to memory of 1184 604 2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe 29 PID 604 wrote to memory of 1184 604 2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe 29 PID 1184 wrote to memory of 1732 1184 simc.tmp 30 PID 1184 wrote to memory of 1732 1184 simc.tmp 30 PID 1184 wrote to memory of 1732 1184 simc.tmp 30 PID 1184 wrote to memory of 1732 1184 simc.tmp 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe"C:\Users\Admin\AppData\Local\Temp\2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Users\Admin\AppData\Roaming\simc.tmpC:\Users\Admin\AppData\Roaming\simc.tmp2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\cmd.execmd /c afc9fe2f418b00a0.bat3⤵PID:1732
-
-
Network
-
Remote address:8.8.8.8:53Requestkp.9n9n.netIN AResponse
-
Remote address:8.8.8.8:53Requestkp.9n9n.netIN AResponse
-
Remote address:8.8.8.8:53Requestkp.9n9n.netIN AResponse
-
Remote address:8.8.8.8:53Requestkp.9n9n.netIN AResponse
-
Remote address:8.8.8.8:53Requestkp.9n9n.netIN AResponse
-
Remote address:8.8.8.8:53Requestkp.9n9n.netIN AResponse
-
Remote address:8.8.8.8:53Requestkp.9n9n.netIN AResponse
-
Remote address:8.8.8.8:53Requestkp.9n9n.netIN AResponse
-
Remote address:8.8.8.8:53Requestkp.9n9n.netIN AResponse
-
171 B 171 B 3 3
DNS Request
kp.9n9n.net
DNS Request
kp.9n9n.net
DNS Request
kp.9n9n.net
-
171 B 171 B 3 3
DNS Request
kp.9n9n.net
DNS Request
kp.9n9n.net
DNS Request
kp.9n9n.net
-
171 B 171 B 3 3
DNS Request
kp.9n9n.net
DNS Request
kp.9n9n.net
DNS Request
kp.9n9n.net
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d15f5598c7304d4620c459d16b672d6
SHA1d5fd318f2347ef63c062aef5658c5ad5934107c6
SHA25630d8d0e43a0eece7b003fbeb6077a07e910afe03199d3d0022fae0d4be94b7f6
SHA51209c2b357d31851c209d078e3787407555710b2b837ad94f11f9d113259a7f8bdda199c2cea45ab6338d1a8e4ec94f0cb663f13260c4e47383886cb897e9b9a10
-
Filesize
89KB
MD58a869f2d5484a56b2e89a77a8967ca3c
SHA15ec8b022e1536e44825c9f7719ad4d927a64c949
SHA256894ec673d67fe952f4cab0d4fb1516cf5e38c53146f0029e16e690b61167a54b
SHA51208b495406e0eb6b2884afc7cc5eae5c16452d474f66c66b894a49b1e947ece80433614464b4f368c91cec50acc52ddc7cf08238e115cc173e89db53ff7e08be1
-
Filesize
89KB
MD58a869f2d5484a56b2e89a77a8967ca3c
SHA15ec8b022e1536e44825c9f7719ad4d927a64c949
SHA256894ec673d67fe952f4cab0d4fb1516cf5e38c53146f0029e16e690b61167a54b
SHA51208b495406e0eb6b2884afc7cc5eae5c16452d474f66c66b894a49b1e947ece80433614464b4f368c91cec50acc52ddc7cf08238e115cc173e89db53ff7e08be1
-
Filesize
89KB
MD58a869f2d5484a56b2e89a77a8967ca3c
SHA15ec8b022e1536e44825c9f7719ad4d927a64c949
SHA256894ec673d67fe952f4cab0d4fb1516cf5e38c53146f0029e16e690b61167a54b
SHA51208b495406e0eb6b2884afc7cc5eae5c16452d474f66c66b894a49b1e947ece80433614464b4f368c91cec50acc52ddc7cf08238e115cc173e89db53ff7e08be1
-
Filesize
89KB
MD58a869f2d5484a56b2e89a77a8967ca3c
SHA15ec8b022e1536e44825c9f7719ad4d927a64c949
SHA256894ec673d67fe952f4cab0d4fb1516cf5e38c53146f0029e16e690b61167a54b
SHA51208b495406e0eb6b2884afc7cc5eae5c16452d474f66c66b894a49b1e947ece80433614464b4f368c91cec50acc52ddc7cf08238e115cc173e89db53ff7e08be1