Analysis
-
max time kernel
28s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10-05-2023 18:10
Static task
static1
Behavioral task
behavioral1
Sample
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
d2b638bc930015604dbede40dc3cb202e1fbfa8956c6168923e0bc0bfd400d98.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
d2b638bc930015604dbede40dc3cb202e1fbfa8956c6168923e0bc0bfd400d98.exe
Resource
win10v2004-20230220-en
General
-
Target
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
-
Size
1.1MB
-
MD5
0ede5189d2124e2de33daca7dfacecd8
-
SHA1
b5b62e468bbc494bf039a2b84748a1c54ddf21cb
-
SHA256
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660
-
SHA512
dc97f9c4a840ad4968b5ab04824f5253b538103a11735c301e68862acf60469734dded0c322610d2138afb6b87eaa7db56551d1d1b38c7f1480ede0190dfe18e
-
SSDEEP
12288:jy0Vd6+UYMUiv4MBBlLakiL5R6ftjGFwWod5wgEBit9QVXdNo:j9ygM3lLalRajGeWmwgEBisVt6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 1476 svhost.exe -
Loads dropped DLL 1 IoCs
Processes:
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exepid process 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exedescription pid process target process PID 2032 set thread context of 1476 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exepid process 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exedescription pid process Token: SeDebugPrivilege 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.execmd.exedescription pid process target process PID 2032 wrote to memory of 1208 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe cmd.exe PID 2032 wrote to memory of 1208 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe cmd.exe PID 2032 wrote to memory of 1208 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe cmd.exe PID 2032 wrote to memory of 1208 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe cmd.exe PID 1208 wrote to memory of 296 1208 cmd.exe reg.exe PID 1208 wrote to memory of 296 1208 cmd.exe reg.exe PID 1208 wrote to memory of 296 1208 cmd.exe reg.exe PID 1208 wrote to memory of 296 1208 cmd.exe reg.exe PID 2032 wrote to memory of 1476 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe PID 2032 wrote to memory of 1476 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe PID 2032 wrote to memory of 1476 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe PID 2032 wrote to memory of 1476 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe PID 2032 wrote to memory of 1476 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe PID 2032 wrote to memory of 1476 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe PID 2032 wrote to memory of 1476 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe PID 2032 wrote to memory of 1476 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe PID 2032 wrote to memory of 1476 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe"C:\Users\Admin\AppData\Local\Temp\9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exeFilesize
1.1MB
MD50ede5189d2124e2de33daca7dfacecd8
SHA1b5b62e468bbc494bf039a2b84748a1c54ddf21cb
SHA2569fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660
SHA512dc97f9c4a840ad4968b5ab04824f5253b538103a11735c301e68862acf60469734dded0c322610d2138afb6b87eaa7db56551d1d1b38c7f1480ede0190dfe18e
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
85KB
MD52e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
85KB
MD52e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
85KB
MD52e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
memory/1476-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1476-66-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1476-65-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1476-67-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1476-64-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1476-69-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1476-72-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1476-74-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1476-76-0x00000000021E0000-0x0000000002220000-memory.dmpFilesize
256KB
-
memory/1476-78-0x00000000021E0000-0x0000000002220000-memory.dmpFilesize
256KB
-
memory/2032-58-0x0000000000200000-0x0000000000240000-memory.dmpFilesize
256KB