Analysis

  • max time kernel
    151s
  • max time network
    94s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2022 17:37

General

  • Target

    2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe

  • Size

    74KB

  • MD5

    7af2a4536f2383d82d15ec747f20cf96

  • SHA1

    e8028181a0a93a1df105a8cc0e0dc629a1b5d376

  • SHA256

    2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e

  • SHA512

    2fd3472f5953c596b48fb6b9ae540d066891f92441b8a0302083720655a59a2c60a8405d463890188a1d5af3fda496f4f07501dc0fe29c4c781994a350d696f6

  • SSDEEP

    1536:HJb7bstbnXgXSJJnxSWdXiF0x6KIiuLPjVtFi2eUNGPrbg0se:tObnISJtx7yBiUWlse

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
    "C:\Users\Admin\AppData\Local\Temp\2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:604
    • C:\Users\Admin\AppData\Roaming\simc.tmp
      C:\Users\Admin\AppData\Roaming\simc.tmp
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c afc9fe2f418b00a0.bat
        3⤵
          PID:1732

    Network

    • flag-us
      DNS
      kp.9n9n.net
      2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
      Remote address:
      8.8.8.8:53
      Request
      kp.9n9n.net
      IN A
      Response
    • flag-us
      DNS
      kp.9n9n.net
      2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
      Remote address:
      8.8.8.8:53
      Request
      kp.9n9n.net
      IN A
      Response
    • flag-us
      DNS
      kp.9n9n.net
      2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
      Remote address:
      8.8.8.8:53
      Request
      kp.9n9n.net
      IN A
      Response
    • flag-us
      DNS
      kp.9n9n.net
      2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
      Remote address:
      8.8.8.8:53
      Request
      kp.9n9n.net
      IN A
      Response
    • flag-us
      DNS
      kp.9n9n.net
      2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
      Remote address:
      8.8.8.8:53
      Request
      kp.9n9n.net
      IN A
      Response
    • flag-us
      DNS
      kp.9n9n.net
      2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
      Remote address:
      8.8.8.8:53
      Request
      kp.9n9n.net
      IN A
      Response
    • flag-us
      DNS
      kp.9n9n.net
      2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
      Remote address:
      8.8.8.8:53
      Request
      kp.9n9n.net
      IN A
      Response
    • flag-us
      DNS
      kp.9n9n.net
      2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
      Remote address:
      8.8.8.8:53
      Request
      kp.9n9n.net
      IN A
      Response
    • flag-us
      DNS
      kp.9n9n.net
      2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
      Remote address:
      8.8.8.8:53
      Request
      kp.9n9n.net
      IN A
      Response
    No results found
    • 8.8.8.8:53
      kp.9n9n.net
      dns
      2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
      171 B
      171 B
      3
      3

      DNS Request

      kp.9n9n.net

      DNS Request

      kp.9n9n.net

      DNS Request

      kp.9n9n.net

    • 8.8.8.8:53
      kp.9n9n.net
      dns
      2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
      171 B
      171 B
      3
      3

      DNS Request

      kp.9n9n.net

      DNS Request

      kp.9n9n.net

      DNS Request

      kp.9n9n.net

    • 8.8.8.8:53
      kp.9n9n.net
      dns
      2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
      171 B
      171 B
      3
      3

      DNS Request

      kp.9n9n.net

      DNS Request

      kp.9n9n.net

      DNS Request

      kp.9n9n.net

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

      Filesize

      2KB

      MD5

      3d15f5598c7304d4620c459d16b672d6

      SHA1

      d5fd318f2347ef63c062aef5658c5ad5934107c6

      SHA256

      30d8d0e43a0eece7b003fbeb6077a07e910afe03199d3d0022fae0d4be94b7f6

      SHA512

      09c2b357d31851c209d078e3787407555710b2b837ad94f11f9d113259a7f8bdda199c2cea45ab6338d1a8e4ec94f0cb663f13260c4e47383886cb897e9b9a10

    • C:\Users\Admin\AppData\Roaming\simc.tmp

      Filesize

      89KB

      MD5

      8a869f2d5484a56b2e89a77a8967ca3c

      SHA1

      5ec8b022e1536e44825c9f7719ad4d927a64c949

      SHA256

      894ec673d67fe952f4cab0d4fb1516cf5e38c53146f0029e16e690b61167a54b

      SHA512

      08b495406e0eb6b2884afc7cc5eae5c16452d474f66c66b894a49b1e947ece80433614464b4f368c91cec50acc52ddc7cf08238e115cc173e89db53ff7e08be1

    • C:\Users\Admin\AppData\Roaming\simc.tmp

      Filesize

      89KB

      MD5

      8a869f2d5484a56b2e89a77a8967ca3c

      SHA1

      5ec8b022e1536e44825c9f7719ad4d927a64c949

      SHA256

      894ec673d67fe952f4cab0d4fb1516cf5e38c53146f0029e16e690b61167a54b

      SHA512

      08b495406e0eb6b2884afc7cc5eae5c16452d474f66c66b894a49b1e947ece80433614464b4f368c91cec50acc52ddc7cf08238e115cc173e89db53ff7e08be1

    • \Users\Admin\AppData\Roaming\simc.tmp

      Filesize

      89KB

      MD5

      8a869f2d5484a56b2e89a77a8967ca3c

      SHA1

      5ec8b022e1536e44825c9f7719ad4d927a64c949

      SHA256

      894ec673d67fe952f4cab0d4fb1516cf5e38c53146f0029e16e690b61167a54b

      SHA512

      08b495406e0eb6b2884afc7cc5eae5c16452d474f66c66b894a49b1e947ece80433614464b4f368c91cec50acc52ddc7cf08238e115cc173e89db53ff7e08be1

    • \Users\Admin\AppData\Roaming\simc.tmp

      Filesize

      89KB

      MD5

      8a869f2d5484a56b2e89a77a8967ca3c

      SHA1

      5ec8b022e1536e44825c9f7719ad4d927a64c949

      SHA256

      894ec673d67fe952f4cab0d4fb1516cf5e38c53146f0029e16e690b61167a54b

      SHA512

      08b495406e0eb6b2884afc7cc5eae5c16452d474f66c66b894a49b1e947ece80433614464b4f368c91cec50acc52ddc7cf08238e115cc173e89db53ff7e08be1

    • memory/604-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

      Filesize

      8KB

    • memory/604-56-0x0000000000020000-0x0000000000023000-memory.dmp

      Filesize

      12KB

    • memory/604-55-0x0000000000B40000-0x0000000000B7C000-memory.dmp

      Filesize

      240KB

    • memory/604-64-0x0000000000B40000-0x0000000000B7C000-memory.dmp

      Filesize

      240KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.