Analysis
-
max time kernel
196s -
max time network
207s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 19:18
Static task
static1
Behavioral task
behavioral1
Sample
c9d96cd32175f66352bf1c7b6ae0a5144873a0fc28543c73d3f2d7f40228327e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c9d96cd32175f66352bf1c7b6ae0a5144873a0fc28543c73d3f2d7f40228327e.exe
Resource
win10v2004-20221111-en
General
-
Target
c9d96cd32175f66352bf1c7b6ae0a5144873a0fc28543c73d3f2d7f40228327e.exe
-
Size
76KB
-
MD5
709db8d8918d4c2e7fe4800763fe2c72
-
SHA1
95eee5d018932ff6c97bd42bb84d1e94a11813aa
-
SHA256
c9d96cd32175f66352bf1c7b6ae0a5144873a0fc28543c73d3f2d7f40228327e
-
SHA512
06e6c8371047055b5b2310d2d3cfced6858bf8b6a6ae00bfc72ad85620f28476ff72200f788410968e8728b2d5d3166370fd953862cc97c8bb512adfb52562b1
-
SSDEEP
1536:H/ex+N3DHTeOGSUd2X1uORZ7l4PBZMA5nXOo6YR9MbUHli:H/eg1efcxp4pZMAlXOo6YR2IHli
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
edgDD74.exepid process 556 edgDD74.exe -
Deletes itself 1 IoCs
Processes:
edgDD74.exepid process 556 edgDD74.exe -
Loads dropped DLL 2 IoCs
Processes:
c9d96cd32175f66352bf1c7b6ae0a5144873a0fc28543c73d3f2d7f40228327e.exepid process 1168 c9d96cd32175f66352bf1c7b6ae0a5144873a0fc28543c73d3f2d7f40228327e.exe 1168 c9d96cd32175f66352bf1c7b6ae0a5144873a0fc28543c73d3f2d7f40228327e.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c9d96cd32175f66352bf1c7b6ae0a5144873a0fc28543c73d3f2d7f40228327e.exedescription pid process target process PID 1168 wrote to memory of 556 1168 c9d96cd32175f66352bf1c7b6ae0a5144873a0fc28543c73d3f2d7f40228327e.exe edgDD74.exe PID 1168 wrote to memory of 556 1168 c9d96cd32175f66352bf1c7b6ae0a5144873a0fc28543c73d3f2d7f40228327e.exe edgDD74.exe PID 1168 wrote to memory of 556 1168 c9d96cd32175f66352bf1c7b6ae0a5144873a0fc28543c73d3f2d7f40228327e.exe edgDD74.exe PID 1168 wrote to memory of 556 1168 c9d96cd32175f66352bf1c7b6ae0a5144873a0fc28543c73d3f2d7f40228327e.exe edgDD74.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9d96cd32175f66352bf1c7b6ae0a5144873a0fc28543c73d3f2d7f40228327e.exe"C:\Users\Admin\AppData\Local\Temp\c9d96cd32175f66352bf1c7b6ae0a5144873a0fc28543c73d3f2d7f40228327e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\edgDD74.exeC:\Users\Admin\AppData\Local\edgDD74.exe C:\Users\Admin\AppData\Local\Temp\C9D96C~1.EXE cp2⤵
- Executes dropped EXE
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\edgDD74.exeFilesize
76KB
MD50811ec8aa58c20099473b276503452b1
SHA1a69aa60b4d72eb1a8e190c9fc3faf1b3b81cba3a
SHA25633d76f64587a44872e218eec96d1ac827729bcdcf57b357094a9b2ca6afa68a0
SHA51266d0815ccac25cf17d85f711cf7754f7a5996a24e101b65c2fcc0e399f90ff0dc4f160fadc8dfdf1b9ed01416212ea435436e1ee10d84e375791b4085ab49527
-
\Users\Admin\AppData\Local\edgDD74.exeFilesize
76KB
MD50811ec8aa58c20099473b276503452b1
SHA1a69aa60b4d72eb1a8e190c9fc3faf1b3b81cba3a
SHA25633d76f64587a44872e218eec96d1ac827729bcdcf57b357094a9b2ca6afa68a0
SHA51266d0815ccac25cf17d85f711cf7754f7a5996a24e101b65c2fcc0e399f90ff0dc4f160fadc8dfdf1b9ed01416212ea435436e1ee10d84e375791b4085ab49527
-
\Users\Admin\AppData\Local\edgDD74.exeFilesize
76KB
MD50811ec8aa58c20099473b276503452b1
SHA1a69aa60b4d72eb1a8e190c9fc3faf1b3b81cba3a
SHA25633d76f64587a44872e218eec96d1ac827729bcdcf57b357094a9b2ca6afa68a0
SHA51266d0815ccac25cf17d85f711cf7754f7a5996a24e101b65c2fcc0e399f90ff0dc4f160fadc8dfdf1b9ed01416212ea435436e1ee10d84e375791b4085ab49527
-
memory/556-63-0x0000000000000000-mapping.dmp
-
memory/1168-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/1168-55-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB