Analysis

  • max time kernel
    43s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 04:33

General

  • Target

    7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe

  • Size

    1.2MB

  • MD5

    3e59ae6e32212b48b5119d210dbabd0c

  • SHA1

    ad93d375d8047bb2d0eebc1edf408b85b22a9df3

  • SHA256

    7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54

  • SHA512

    7f304776265db0f58c73e138faf7737de30f76a58041e95c1a23efd52eb0e54f2d6dca16016863e667fcad2c13efc3083225e2a39350a8c0279ed1f2141056e8

  • SSDEEP

    3072:HAJ6YCx9QPeD18h7bLFrR3VYoufTbwH/EONHckiw1jNdGAeBycisq9ygf:HAYFu2Dyh7PFrRVYoQzONFXjNLFE4

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe
    "C:\Users\Admin\AppData\Local\Temp\7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\WINDOWS\system\pm.exe
      C:\WINDOWS\system\pm.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:1644
    • C:\WINDOWS\system\pt.exe
      C:\WINDOWS\system\pt.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:988
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 108
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\elementgj.dll
    Filesize

    20KB

    MD5

    991ac0a478c632bad7d5ca623679bd74

    SHA1

    8aecef6c8605346596b4331fdfa00d433d1fa4fb

    SHA256

    318dcfffe05989cf4293f2d626cd899045fe8b58a037825dc3e5596ebb61cfe7

    SHA512

    6ba05b77815e6088099daa5847af4ab5272c8b298e747785ae3f48ed791f0289e4a2a0f33c4ab9035021d3dbce2aee96fb6875a583b1a569c85167e96e25e45a

  • C:\WINDOWS\system\pt.exe
    Filesize

    15KB

    MD5

    acde03a4eeca28c2bc4d8a3f83e0d596

    SHA1

    2e784b89c7ad5c18bfb39b4c13cbb5cd152280d0

    SHA256

    2752b975c6958c8cd2cb353747bf9ff45b7f3a96e0c417bcbab71d656fc56a00

    SHA512

    f93106043b6c9404848e0ffb08acf29a560214635410e8257accb7795c18634b3a9a56c066cf14f40a85ea469b73ff4a1d307d5cf364bf3a1a0d9ff90f2c9c38

  • C:\Windows\system\pm.exe
    Filesize

    1.1MB

    MD5

    9d3dcad735b56115f78d1f2a8606f462

    SHA1

    03108db2fceb8a368ac915bcc95617d10906ac2d

    SHA256

    a9050a782d352f764f58ca197f24233eb11d6b5d4e951815eb1ec167d107bac9

    SHA512

    70af1a6b8c613946ee24bfb49db576a46ffce6f15f53114712d7352df1dd08f7ff320627014fd7aa3b1dacc264588bb3ddada638a1a42fd211cd25d3118c385f

  • C:\Windows\system\pt.exe
    Filesize

    15KB

    MD5

    acde03a4eeca28c2bc4d8a3f83e0d596

    SHA1

    2e784b89c7ad5c18bfb39b4c13cbb5cd152280d0

    SHA256

    2752b975c6958c8cd2cb353747bf9ff45b7f3a96e0c417bcbab71d656fc56a00

    SHA512

    f93106043b6c9404848e0ffb08acf29a560214635410e8257accb7795c18634b3a9a56c066cf14f40a85ea469b73ff4a1d307d5cf364bf3a1a0d9ff90f2c9c38

  • \Users\Admin\AppData\Local\Temp\elementgj.dll
    Filesize

    20KB

    MD5

    991ac0a478c632bad7d5ca623679bd74

    SHA1

    8aecef6c8605346596b4331fdfa00d433d1fa4fb

    SHA256

    318dcfffe05989cf4293f2d626cd899045fe8b58a037825dc3e5596ebb61cfe7

    SHA512

    6ba05b77815e6088099daa5847af4ab5272c8b298e747785ae3f48ed791f0289e4a2a0f33c4ab9035021d3dbce2aee96fb6875a583b1a569c85167e96e25e45a

  • \Users\Admin\AppData\Local\Temp\elementgj.dll
    Filesize

    20KB

    MD5

    991ac0a478c632bad7d5ca623679bd74

    SHA1

    8aecef6c8605346596b4331fdfa00d433d1fa4fb

    SHA256

    318dcfffe05989cf4293f2d626cd899045fe8b58a037825dc3e5596ebb61cfe7

    SHA512

    6ba05b77815e6088099daa5847af4ab5272c8b298e747785ae3f48ed791f0289e4a2a0f33c4ab9035021d3dbce2aee96fb6875a583b1a569c85167e96e25e45a

  • \Users\Admin\AppData\Local\Temp\elementgj.dll
    Filesize

    20KB

    MD5

    991ac0a478c632bad7d5ca623679bd74

    SHA1

    8aecef6c8605346596b4331fdfa00d433d1fa4fb

    SHA256

    318dcfffe05989cf4293f2d626cd899045fe8b58a037825dc3e5596ebb61cfe7

    SHA512

    6ba05b77815e6088099daa5847af4ab5272c8b298e747785ae3f48ed791f0289e4a2a0f33c4ab9035021d3dbce2aee96fb6875a583b1a569c85167e96e25e45a

  • \Windows\system\pm.exe
    Filesize

    1.1MB

    MD5

    9d3dcad735b56115f78d1f2a8606f462

    SHA1

    03108db2fceb8a368ac915bcc95617d10906ac2d

    SHA256

    a9050a782d352f764f58ca197f24233eb11d6b5d4e951815eb1ec167d107bac9

    SHA512

    70af1a6b8c613946ee24bfb49db576a46ffce6f15f53114712d7352df1dd08f7ff320627014fd7aa3b1dacc264588bb3ddada638a1a42fd211cd25d3118c385f

  • \Windows\system\pm.exe
    Filesize

    1.1MB

    MD5

    9d3dcad735b56115f78d1f2a8606f462

    SHA1

    03108db2fceb8a368ac915bcc95617d10906ac2d

    SHA256

    a9050a782d352f764f58ca197f24233eb11d6b5d4e951815eb1ec167d107bac9

    SHA512

    70af1a6b8c613946ee24bfb49db576a46ffce6f15f53114712d7352df1dd08f7ff320627014fd7aa3b1dacc264588bb3ddada638a1a42fd211cd25d3118c385f

  • \Windows\system\pt.exe
    Filesize

    15KB

    MD5

    acde03a4eeca28c2bc4d8a3f83e0d596

    SHA1

    2e784b89c7ad5c18bfb39b4c13cbb5cd152280d0

    SHA256

    2752b975c6958c8cd2cb353747bf9ff45b7f3a96e0c417bcbab71d656fc56a00

    SHA512

    f93106043b6c9404848e0ffb08acf29a560214635410e8257accb7795c18634b3a9a56c066cf14f40a85ea469b73ff4a1d307d5cf364bf3a1a0d9ff90f2c9c38

  • \Windows\system\pt.exe
    Filesize

    15KB

    MD5

    acde03a4eeca28c2bc4d8a3f83e0d596

    SHA1

    2e784b89c7ad5c18bfb39b4c13cbb5cd152280d0

    SHA256

    2752b975c6958c8cd2cb353747bf9ff45b7f3a96e0c417bcbab71d656fc56a00

    SHA512

    f93106043b6c9404848e0ffb08acf29a560214635410e8257accb7795c18634b3a9a56c066cf14f40a85ea469b73ff4a1d307d5cf364bf3a1a0d9ff90f2c9c38

  • \Windows\system\pt.exe
    Filesize

    15KB

    MD5

    acde03a4eeca28c2bc4d8a3f83e0d596

    SHA1

    2e784b89c7ad5c18bfb39b4c13cbb5cd152280d0

    SHA256

    2752b975c6958c8cd2cb353747bf9ff45b7f3a96e0c417bcbab71d656fc56a00

    SHA512

    f93106043b6c9404848e0ffb08acf29a560214635410e8257accb7795c18634b3a9a56c066cf14f40a85ea469b73ff4a1d307d5cf364bf3a1a0d9ff90f2c9c38

  • \Windows\system\pt.exe
    Filesize

    15KB

    MD5

    acde03a4eeca28c2bc4d8a3f83e0d596

    SHA1

    2e784b89c7ad5c18bfb39b4c13cbb5cd152280d0

    SHA256

    2752b975c6958c8cd2cb353747bf9ff45b7f3a96e0c417bcbab71d656fc56a00

    SHA512

    f93106043b6c9404848e0ffb08acf29a560214635410e8257accb7795c18634b3a9a56c066cf14f40a85ea469b73ff4a1d307d5cf364bf3a1a0d9ff90f2c9c38

  • \Windows\system\pt.exe
    Filesize

    15KB

    MD5

    acde03a4eeca28c2bc4d8a3f83e0d596

    SHA1

    2e784b89c7ad5c18bfb39b4c13cbb5cd152280d0

    SHA256

    2752b975c6958c8cd2cb353747bf9ff45b7f3a96e0c417bcbab71d656fc56a00

    SHA512

    f93106043b6c9404848e0ffb08acf29a560214635410e8257accb7795c18634b3a9a56c066cf14f40a85ea469b73ff4a1d307d5cf364bf3a1a0d9ff90f2c9c38

  • memory/988-68-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

  • memory/988-64-0x0000000000000000-mapping.dmp
  • memory/988-78-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

  • memory/1644-58-0x0000000000000000-mapping.dmp
  • memory/1676-67-0x0000000000340000-0x0000000000361000-memory.dmp
    Filesize

    132KB

  • memory/1676-66-0x0000000000340000-0x0000000000361000-memory.dmp
    Filesize

    132KB

  • memory/2036-71-0x0000000000000000-mapping.dmp