Resubmissions

14-11-2023 17:31

231114-v3qg7acf42 10

14-11-2023 17:21

231114-vxdw7sdg61 10

28-10-2023 19:29

231028-x7cs1age56 10

24-10-2023 13:29

231024-qrn3rsdb6z 10

18-10-2023 12:04

231018-n8ybnaeb31 10

07-09-2023 12:10

230907-pce1wahe2x 10

Analysis

  • max time kernel
    29s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    07-09-2023 12:10

General

  • Target

    dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3.exe

  • Size

    26KB

  • MD5

    00683c2668d0329457a67a5d5523d1ef

  • SHA1

    8831515122545e6eb889bfefc66615b78cd0df2e

  • SHA256

    dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3

  • SHA512

    6c3668a590fd26abbdbf35a6da03dbd76c755a05be2b7192dad3c777fc8937346029903bd76de3fdea941cb81916d01a122f36f116ee9d99a0fa097c16f4d4ff

  • SSDEEP

    384:1iN9ccVj9rt0GUnFnRnxud5SseO/N2W8HXVEu59uLS5U/ANpp4Df26eznKKfN/vx:1iZj9OnRnmSs1d8HXVEu5TWyO8/vOa

Score
8/10

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3.exe
    "C:\Users\Admin\AppData\Local\Temp\dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Users\Admin\AppData\Local\Temp\Trojan.exe
      "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:2380

Network

  • flag-us
    DNS
    xvxvxv.no-ip.biz
    Trojan.exe
    Remote address:
    8.8.8.8:53
    Request
    xvxvxv.no-ip.biz
    IN A
    Response
No results found
  • 8.8.8.8:53
    xvxvxv.no-ip.biz
    dns
    Trojan.exe
    62 B
    122 B
    1
    1

    DNS Request

    xvxvxv.no-ip.biz

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Trojan.exe

    Filesize

    26KB

    MD5

    00683c2668d0329457a67a5d5523d1ef

    SHA1

    8831515122545e6eb889bfefc66615b78cd0df2e

    SHA256

    dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3

    SHA512

    6c3668a590fd26abbdbf35a6da03dbd76c755a05be2b7192dad3c777fc8937346029903bd76de3fdea941cb81916d01a122f36f116ee9d99a0fa097c16f4d4ff

  • C:\Users\Admin\AppData\Local\Temp\Trojan.exe

    Filesize

    26KB

    MD5

    00683c2668d0329457a67a5d5523d1ef

    SHA1

    8831515122545e6eb889bfefc66615b78cd0df2e

    SHA256

    dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3

    SHA512

    6c3668a590fd26abbdbf35a6da03dbd76c755a05be2b7192dad3c777fc8937346029903bd76de3fdea941cb81916d01a122f36f116ee9d99a0fa097c16f4d4ff

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe

    Filesize

    26KB

    MD5

    00683c2668d0329457a67a5d5523d1ef

    SHA1

    8831515122545e6eb889bfefc66615b78cd0df2e

    SHA256

    dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3

    SHA512

    6c3668a590fd26abbdbf35a6da03dbd76c755a05be2b7192dad3c777fc8937346029903bd76de3fdea941cb81916d01a122f36f116ee9d99a0fa097c16f4d4ff

  • \Users\Admin\AppData\Local\Temp\Trojan.exe

    Filesize

    26KB

    MD5

    00683c2668d0329457a67a5d5523d1ef

    SHA1

    8831515122545e6eb889bfefc66615b78cd0df2e

    SHA256

    dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3

    SHA512

    6c3668a590fd26abbdbf35a6da03dbd76c755a05be2b7192dad3c777fc8937346029903bd76de3fdea941cb81916d01a122f36f116ee9d99a0fa097c16f4d4ff

  • memory/1824-10-0x0000000000550000-0x0000000000590000-memory.dmp

    Filesize

    256KB

  • memory/2268-0-0x0000000074200000-0x00000000747AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2268-1-0x0000000074200000-0x00000000747AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2268-2-0x0000000000280000-0x00000000002C0000-memory.dmp

    Filesize

    256KB

  • memory/2268-11-0x0000000074200000-0x00000000747AB000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.