Analysis

  • max time kernel
    151s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 15:42

General

  • Target

    26f8ac295a2947028e47839e346ccf0926dcd28b7f500009f385a18c6ebf8749.exe

  • Size

    182KB

  • MD5

    366d1773468b870f7c6107efb0e9aa70

  • SHA1

    4a8ad564be4460824e5e6048246213d40161c394

  • SHA256

    26f8ac295a2947028e47839e346ccf0926dcd28b7f500009f385a18c6ebf8749

  • SHA512

    1a142a296d267ff2931ffe1709a9bc9890ced9ce105e22eb8650e154ecd32fb45294d871667c1e27a2d5813ef853fb9f606225431c59196b8b75a798fe9d4f1f

  • SSDEEP

    3072:g96kfLhHSdldQEcRIPOBU4OkvDxutbY1ufFCqZ9rcbCE0M4HJ29Yv:g96kfLVSl3cKJ4OkbcbkwCqZ9rfM4Hz

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26f8ac295a2947028e47839e346ccf0926dcd28b7f500009f385a18c6ebf8749.exe
    "C:\Users\Admin\AppData\Local\Temp\26f8ac295a2947028e47839e346ccf0926dcd28b7f500009f385a18c6ebf8749.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1324
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe c:\windows\system32\debug.dll,CodeMain QQdpq
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:780

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\SysWOW64\debug.dll

    Filesize

    20.1MB

    MD5

    ddf944e3d426bebc6f2b853ddb49d92e

    SHA1

    8b86440f68a51605028b0957192b1a026f87e972

    SHA256

    bbb84ec1d6e108cea531a62237304b0921e09fe250cbfcf7b4580f93df9ef886

    SHA512

    6071d9533bf73d08788d1ec00893c6a8cf0b74e312a052c2e20bc5423b986a18643349f2bbd3e6be812c757a2bd60bfc204e5cf817281e0418ca99f6482573d9

  • \Program Files\Internet Explorer\360liveupdate.dll

    Filesize

    20.0MB

    MD5

    7d4a807d6782800096525841deeb9493

    SHA1

    aa667e1e9ed92e8bf21f417a782a26f3a99c61c7

    SHA256

    e9010c23e5ad32d24bf73266edbbfe9e2a59bcee5918a140dcbb5f8a60e976a9

    SHA512

    ead2fd928e98f996dcd51584dca9395ebd4baa55868ef6aed3bf7e1ce69d74275ae5b2b604b6fb6e0ad3325841fa10e71bfcbc67e9bf15a5b6a22e9d9d030482

  • \Windows\SysWOW64\Debug.dll

    Filesize

    20.1MB

    MD5

    ddf944e3d426bebc6f2b853ddb49d92e

    SHA1

    8b86440f68a51605028b0957192b1a026f87e972

    SHA256

    bbb84ec1d6e108cea531a62237304b0921e09fe250cbfcf7b4580f93df9ef886

    SHA512

    6071d9533bf73d08788d1ec00893c6a8cf0b74e312a052c2e20bc5423b986a18643349f2bbd3e6be812c757a2bd60bfc204e5cf817281e0418ca99f6482573d9

  • \Windows\SysWOW64\Debug.dll

    Filesize

    20.1MB

    MD5

    ddf944e3d426bebc6f2b853ddb49d92e

    SHA1

    8b86440f68a51605028b0957192b1a026f87e972

    SHA256

    bbb84ec1d6e108cea531a62237304b0921e09fe250cbfcf7b4580f93df9ef886

    SHA512

    6071d9533bf73d08788d1ec00893c6a8cf0b74e312a052c2e20bc5423b986a18643349f2bbd3e6be812c757a2bd60bfc204e5cf817281e0418ca99f6482573d9

  • \Windows\SysWOW64\Debug.dll

    Filesize

    20.1MB

    MD5

    ddf944e3d426bebc6f2b853ddb49d92e

    SHA1

    8b86440f68a51605028b0957192b1a026f87e972

    SHA256

    bbb84ec1d6e108cea531a62237304b0921e09fe250cbfcf7b4580f93df9ef886

    SHA512

    6071d9533bf73d08788d1ec00893c6a8cf0b74e312a052c2e20bc5423b986a18643349f2bbd3e6be812c757a2bd60bfc204e5cf817281e0418ca99f6482573d9

  • \Windows\SysWOW64\Debug.dll

    Filesize

    20.1MB

    MD5

    ddf944e3d426bebc6f2b853ddb49d92e

    SHA1

    8b86440f68a51605028b0957192b1a026f87e972

    SHA256

    bbb84ec1d6e108cea531a62237304b0921e09fe250cbfcf7b4580f93df9ef886

    SHA512

    6071d9533bf73d08788d1ec00893c6a8cf0b74e312a052c2e20bc5423b986a18643349f2bbd3e6be812c757a2bd60bfc204e5cf817281e0418ca99f6482573d9

  • \Windows\SysWOW64\Debug.dll

    Filesize

    20.1MB

    MD5

    ddf944e3d426bebc6f2b853ddb49d92e

    SHA1

    8b86440f68a51605028b0957192b1a026f87e972

    SHA256

    bbb84ec1d6e108cea531a62237304b0921e09fe250cbfcf7b4580f93df9ef886

    SHA512

    6071d9533bf73d08788d1ec00893c6a8cf0b74e312a052c2e20bc5423b986a18643349f2bbd3e6be812c757a2bd60bfc204e5cf817281e0418ca99f6482573d9

  • memory/780-60-0x0000000000000000-mapping.dmp

  • memory/1324-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

    Filesize

    8KB

  • memory/1324-57-0x0000000010000000-0x0000000010005000-memory.dmp

    Filesize

    20KB