Analysis
-
max time kernel
115s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-12-2022 08:14
Static task
static1
Behavioral task
behavioral1
Sample
a612ae524e9fce3dc09c2235ae00baab.exe
Resource
win7-20221111-en
General
-
Target
a612ae524e9fce3dc09c2235ae00baab.exe
-
Size
200KB
-
MD5
a612ae524e9fce3dc09c2235ae00baab
-
SHA1
ed955ca8d4176b3eaf0221ce913abae2cd59cb4b
-
SHA256
e909a1e96eedbd51f0b72959a01335aedb816657d33859272174590e75434690
-
SHA512
76de329f9bf4ce90b3c6124b31c7841feaf1b062cd720613e97876e43f50968c0835bae6dc03515c4d83dd4254d289958ac50b9441cd62b2fdbc4866b278c2ef
-
SSDEEP
3072:CZVR496h5b37q8Fc75p9cFkL+KBNyBNzv82Xy8BF9vxEPcdEj:AHi8Fc9peFkLDUxzpBFDA
Malware Config
Extracted
systembc
146.0.75.34:4083
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
htdf.exehtdf.exepid process 956 htdf.exe 1640 htdf.exe -
Drops file in Windows directory 2 IoCs
Processes:
a612ae524e9fce3dc09c2235ae00baab.exedescription ioc process File created C:\Windows\Tasks\htdf.job a612ae524e9fce3dc09c2235ae00baab.exe File opened for modification C:\Windows\Tasks\htdf.job a612ae524e9fce3dc09c2235ae00baab.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a612ae524e9fce3dc09c2235ae00baab.exepid process 2044 a612ae524e9fce3dc09c2235ae00baab.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
taskeng.exedescription pid process target process PID 2024 wrote to memory of 956 2024 taskeng.exe htdf.exe PID 2024 wrote to memory of 956 2024 taskeng.exe htdf.exe PID 2024 wrote to memory of 956 2024 taskeng.exe htdf.exe PID 2024 wrote to memory of 956 2024 taskeng.exe htdf.exe PID 2024 wrote to memory of 1640 2024 taskeng.exe htdf.exe PID 2024 wrote to memory of 1640 2024 taskeng.exe htdf.exe PID 2024 wrote to memory of 1640 2024 taskeng.exe htdf.exe PID 2024 wrote to memory of 1640 2024 taskeng.exe htdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a612ae524e9fce3dc09c2235ae00baab.exe"C:\Users\Admin\AppData\Local\Temp\a612ae524e9fce3dc09c2235ae00baab.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {A238E570-F99B-41B0-A7FD-856C837E542C} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\amlnhdn\htdf.exeC:\ProgramData\amlnhdn\htdf.exe start22⤵
- Executes dropped EXE
-
C:\ProgramData\amlnhdn\htdf.exeC:\ProgramData\amlnhdn\htdf.exe start22⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\amlnhdn\htdf.exeFilesize
200KB
MD5a612ae524e9fce3dc09c2235ae00baab
SHA1ed955ca8d4176b3eaf0221ce913abae2cd59cb4b
SHA256e909a1e96eedbd51f0b72959a01335aedb816657d33859272174590e75434690
SHA51276de329f9bf4ce90b3c6124b31c7841feaf1b062cd720613e97876e43f50968c0835bae6dc03515c4d83dd4254d289958ac50b9441cd62b2fdbc4866b278c2ef
-
C:\ProgramData\amlnhdn\htdf.exeFilesize
200KB
MD5a612ae524e9fce3dc09c2235ae00baab
SHA1ed955ca8d4176b3eaf0221ce913abae2cd59cb4b
SHA256e909a1e96eedbd51f0b72959a01335aedb816657d33859272174590e75434690
SHA51276de329f9bf4ce90b3c6124b31c7841feaf1b062cd720613e97876e43f50968c0835bae6dc03515c4d83dd4254d289958ac50b9441cd62b2fdbc4866b278c2ef
-
C:\ProgramData\amlnhdn\htdf.exeFilesize
200KB
MD5a612ae524e9fce3dc09c2235ae00baab
SHA1ed955ca8d4176b3eaf0221ce913abae2cd59cb4b
SHA256e909a1e96eedbd51f0b72959a01335aedb816657d33859272174590e75434690
SHA51276de329f9bf4ce90b3c6124b31c7841feaf1b062cd720613e97876e43f50968c0835bae6dc03515c4d83dd4254d289958ac50b9441cd62b2fdbc4866b278c2ef
-
memory/956-62-0x0000000000514000-0x0000000000518000-memory.dmpFilesize
16KB
-
memory/956-60-0x0000000000000000-mapping.dmp
-
memory/956-64-0x0000000000514000-0x0000000000518000-memory.dmpFilesize
16KB
-
memory/956-65-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1640-66-0x0000000000000000-mapping.dmp
-
memory/1640-68-0x00000000005B4000-0x00000000005B8000-memory.dmpFilesize
16KB
-
memory/1640-70-0x00000000005B4000-0x00000000005B8000-memory.dmpFilesize
16KB
-
memory/1640-71-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2044-58-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2044-57-0x00000000001B0000-0x00000000001B5000-memory.dmpFilesize
20KB
-
memory/2044-56-0x00000000002B4000-0x00000000002B9000-memory.dmpFilesize
20KB
-
memory/2044-54-0x00000000002B4000-0x00000000002B9000-memory.dmpFilesize
20KB
-
memory/2044-55-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB