1cd7a1f1124487e81bfd6b58cdd0aeba1dfdf6e4db4205c19eff95d8e059b286

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/09/2023, 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cd7a1f1124487e81bfd6b58cdd0aeba1dfdf6e4db4205c19eff95d8e059b286.exe
Size

104KB
MD5

2f1a9d2f9b31487ddd3646786c4e9383
SHA1

e1c8a1902bfbf6bfbc5ee7ca5aabcedb26c4207a
SHA256

1cd7a1f1124487e81bfd6b58cdd0aeba1dfdf6e4db4205c19eff95d8e059b286
SHA512

d50e684c4871b35788b8f048f5b9ccc7224bba0695f78d2430c7c0814f2a9da2f17f007f38ea8b713d28932bdd7f9ace2b5e75eab87f542c787f31f004317ea0
SSDEEP

1536:kvzLIlh70D0c/vFr2YLh8YDjDSWPBFhvt8Bmb1pBJ1gr7:k20vN2y5DlFhvt8cZpH1a7

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2620	WindowsTask.exe
2788	windows.exe
3032	{A29357AE-BDAB-4c78-8353-7E4487E0D281}.exe

Loads dropped DLL 6 IoCs

pid	Process
1852	1cd7a1f1124487e81bfd6b58cdd0aeba1dfdf6e4db4205c19eff95d8e059b286.exe
1852	1cd7a1f1124487e81bfd6b58cdd0aeba1dfdf6e4db4205c19eff95d8e059b286.exe
2620	WindowsTask.exe
2620	WindowsTask.exe
2620	WindowsTask.exe
1852	1cd7a1f1124487e81bfd6b58cdd0aeba1dfdf6e4db4205c19eff95d8e059b286.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windows.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	windows.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1693751658"	{A29357AE-BDAB-4c78-8353-7E4487E0D281}.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe
2788	windows.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2620	1852	1cd7a1f1124487e81bfd6b58cdd0aeba1dfdf6e4db4205c19eff95d8e059b286.exe	29
PID 1852 wrote to memory of 2620	1852	1cd7a1f1124487e81bfd6b58cdd0aeba1dfdf6e4db4205c19eff95d8e059b286.exe	29
PID 1852 wrote to memory of 2620	1852	1cd7a1f1124487e81bfd6b58cdd0aeba1dfdf6e4db4205c19eff95d8e059b286.exe	29
PID 1852 wrote to memory of 2620	1852	1cd7a1f1124487e81bfd6b58cdd0aeba1dfdf6e4db4205c19eff95d8e059b286.exe	29
PID 2620 wrote to memory of 2788	2620	WindowsTask.exe	30
PID 2620 wrote to memory of 2788	2620	WindowsTask.exe	30
PID 2620 wrote to memory of 2788	2620	WindowsTask.exe	30
PID 2620 wrote to memory of 2788	2620	WindowsTask.exe	30

C:\Users\Admin\AppData\Local\Temp\1cd7a1f1124487e81bfd6b58cdd0aeba1dfdf6e4db4205c19eff95d8e059b286.exe
"C:\Users\Admin\AppData\Local\Temp\1cd7a1f1124487e81bfd6b58cdd0aeba1dfdf6e4db4205c19eff95d8e059b286.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852
- C:\ProgramData\StatBack\WindowsTask.exe
  "C:\ProgramData\StatBack\WindowsTask.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\ProgramData\StatBack\windows.exe
    C:\ProgramData\StatBack\windows.exe
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2788

C:\Users\Admin\AppData\Local\Temp\{A29357AE-BDAB-4c78-8353-7E4487E0D281}.exe
"C:\Users\Admin\AppData\Local\Temp\{A29357AE-BDAB-4c78-8353-7E4487E0D281}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{1CC5402F-6CCE-4c44-96A5-233AA0AED968}"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\StatBack\1.bin

Filesize
154KB

MD5
21d9e55516bd1fa1d93e259dbc41ab89

SHA1
a4981db16a421450f782b58754bc34ecd426757c

SHA256
6e970e95c8c73f389026e11b2ae5a08b6ea2d85f368805f9223a817289d5d382

SHA512
c4205d2aa8e92ad752df81d2c565bd20b13cd5b0cfa9eb22a4f748cd6bd5be393b88ce49237077ea85d4f173ea246e07adae4dadd1dc0b79d5c1aa58aae628fd

Download Submit
C:\ProgramData\StatBack\DuiLib_u.dll

Filesize
459KB

MD5
56072dfb985e2108f83088fc53eb8d28

SHA1
7511fa54087b8a3f6b15f35e93b348dbb77ba90e

SHA256
86a5bb96638aee5f0472f5ba1e0684fc9fe7d978c7144c674c364392fb251342

SHA512
514fe9279bb3b0c82c37ebcbb3667c2057b5f9c2fd3317fd175bd0cab1ca7cddc60e45a53949e8c185936af7e3de3bb1953596b7b0bad26e3eaa7e4391597130

Download Submit
C:\ProgramData\StatBack\WindowsTask.exe

Filesize
898KB

MD5
50e85dab4395758b21ae04a9dbc13e7d

SHA1
179a1fb53eb3e067940733b64fd785e3790de7ad

SHA256
7ed33632bd20f8c1864148b5e5cb879ba39f0846b672704c554a28bbdc91ffc4

SHA512
566b75ab69ad9160c56d170a01060015b375b047ba11b4455f1999cbef8868604ecfcf9b4605c13d0685df0619c78f2426b32fe15564a6e9301d726a519543f7

Download Submit
C:\ProgramData\StatBack\WindowsTask.exe

Filesize
898KB

MD5
50e85dab4395758b21ae04a9dbc13e7d

SHA1
179a1fb53eb3e067940733b64fd785e3790de7ad

SHA256
7ed33632bd20f8c1864148b5e5cb879ba39f0846b672704c554a28bbdc91ffc4

SHA512
566b75ab69ad9160c56d170a01060015b375b047ba11b4455f1999cbef8868604ecfcf9b4605c13d0685df0619c78f2426b32fe15564a6e9301d726a519543f7

Download Submit
C:\ProgramData\StatBack\sqlite3.dll

Filesize
44KB

MD5
427588c72b55d99d60125731a27876da

SHA1
8a339cc7fe16ddb93b2d1528af1fac8d7bc94aeb

SHA256
5b6edd22d6faa75c0e3c21e6a700e053ad1613f389a88e9f30e59384475f3deb

SHA512
9a152b0617ad9e9b9872361bf86c63ca650994a1aae31f948f4c228bbfb8671cb94895b8ce961cac4d0a3f0c2d2534d5e26c7144ab142456cae163e3ed437113

Download Submit
C:\ProgramData\StatBack\windows.exe

Filesize
300KB

MD5
d4be34e47659dcbe014b8ca1f3f8afc6

SHA1
f7d022a155a26fa10d288666d8f02d0509d1ab10

SHA256
9e9fe1de697c6ece46c80187b8a127685f7ec097e80d6688fa97eeef6f44d7a3

SHA512
8adb9843c9c09f422fd15afd45a3b392e80fe85571e64f1b1a002b22e19926c876b62ee53853b370c6a6e79e7ffd361c5ab7d69f1a8b557216e5e08bdeefdbd9

Download Submit
C:\ProgramData\StatBack\windows.exe

Filesize
300KB

MD5
d4be34e47659dcbe014b8ca1f3f8afc6

SHA1
f7d022a155a26fa10d288666d8f02d0509d1ab10

SHA256
9e9fe1de697c6ece46c80187b8a127685f7ec097e80d6688fa97eeef6f44d7a3

SHA512
8adb9843c9c09f422fd15afd45a3b392e80fe85571e64f1b1a002b22e19926c876b62ee53853b370c6a6e79e7ffd361c5ab7d69f1a8b557216e5e08bdeefdbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1CC5402F-6CCE-4c44-96A5-233AA0AED968}

Filesize
215B

MD5
2d904a42e1ffb3798897807c5d99fea6

SHA1
e84625c0e4599b21136874ef43d603da953c861c

SHA256
018fef17a67bde399beb1bca78b740ac18f7b16ab7a880f0906d48bd135c90b3

SHA512
486891831e39749877f23408dd4906960fb4be647a87c8ff539033a13f1d22fc4e49a2ca4ad4ed0751f608906e8bb4ecaf6a39879c14be4221cd7533f322ad7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A29357AE-BDAB-4c78-8353-7E4487E0D281}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
\ProgramData\StatBack\DuiLib_u.dll

Filesize
459KB

MD5
56072dfb985e2108f83088fc53eb8d28

SHA1
7511fa54087b8a3f6b15f35e93b348dbb77ba90e

SHA256
86a5bb96638aee5f0472f5ba1e0684fc9fe7d978c7144c674c364392fb251342

SHA512
514fe9279bb3b0c82c37ebcbb3667c2057b5f9c2fd3317fd175bd0cab1ca7cddc60e45a53949e8c185936af7e3de3bb1953596b7b0bad26e3eaa7e4391597130

Download Submit
\ProgramData\StatBack\WindowsTask.exe

Filesize
898KB

MD5
50e85dab4395758b21ae04a9dbc13e7d

SHA1
179a1fb53eb3e067940733b64fd785e3790de7ad

SHA256
7ed33632bd20f8c1864148b5e5cb879ba39f0846b672704c554a28bbdc91ffc4

SHA512
566b75ab69ad9160c56d170a01060015b375b047ba11b4455f1999cbef8868604ecfcf9b4605c13d0685df0619c78f2426b32fe15564a6e9301d726a519543f7

Download Submit
\ProgramData\StatBack\WindowsTask.exe

Filesize
898KB

MD5
50e85dab4395758b21ae04a9dbc13e7d

SHA1
179a1fb53eb3e067940733b64fd785e3790de7ad

SHA256
7ed33632bd20f8c1864148b5e5cb879ba39f0846b672704c554a28bbdc91ffc4

SHA512
566b75ab69ad9160c56d170a01060015b375b047ba11b4455f1999cbef8868604ecfcf9b4605c13d0685df0619c78f2426b32fe15564a6e9301d726a519543f7

Download Submit
\ProgramData\StatBack\sqlite3.dll

Filesize
44KB

MD5
427588c72b55d99d60125731a27876da

SHA1
8a339cc7fe16ddb93b2d1528af1fac8d7bc94aeb

SHA256
5b6edd22d6faa75c0e3c21e6a700e053ad1613f389a88e9f30e59384475f3deb

SHA512
9a152b0617ad9e9b9872361bf86c63ca650994a1aae31f948f4c228bbfb8671cb94895b8ce961cac4d0a3f0c2d2534d5e26c7144ab142456cae163e3ed437113

Download Submit
\ProgramData\StatBack\windows.exe

Filesize
300KB

MD5
d4be34e47659dcbe014b8ca1f3f8afc6

SHA1
f7d022a155a26fa10d288666d8f02d0509d1ab10

SHA256
9e9fe1de697c6ece46c80187b8a127685f7ec097e80d6688fa97eeef6f44d7a3

SHA512
8adb9843c9c09f422fd15afd45a3b392e80fe85571e64f1b1a002b22e19926c876b62ee53853b370c6a6e79e7ffd361c5ab7d69f1a8b557216e5e08bdeefdbd9

Download Submit
\Users\Admin\AppData\Local\Temp\{A29357AE-BDAB-4c78-8353-7E4487E0D281}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
memory/1852-1-0x0000000003890000-0x0000000003BC9000-memory.dmp

Filesize
3.2MB

Download
memory/1852-2-0x0000000010000000-0x000000001033E000-memory.dmp

Filesize
3.2MB

Download
memory/2788-176-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/2788-181-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/2788-182-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/2788-183-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/2788-187-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download