Overview

overview

7

Static

static

3

242166e470...5d.exe

windows7-x64

7

242166e470...5d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    21-09-2023 06:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    242166e4707c1703abb52f6e02668ab422995919b7d9173d76f207d518742c5d.exe

  • Size

    2.2MB

  • MD5

    97379854bfd5da3b386a3fc1e499d3a9

  • SHA1

    6bc99f0adadc5f8ee952cf1f6dc473e5720607e4

  • SHA256

    242166e4707c1703abb52f6e02668ab422995919b7d9173d76f207d518742c5d

  • SHA512

    9c78927ffb0947b3f59d1665b58bf11b3caf421e0bc17491eb9d82b06dd00a987417402568480f7b0452799ad7ac09fd5b64e1943e803e051c3540abf2dad55c

  • SSDEEP

    24576:3+nac7cIAaiYPhr/v/wU7BBU1WYu2sxoghVf1FEV+njDwRtympOZH7VXEl7NSXyG:u9IIhPdAUsrXchVF3Gt/gZH7VoQyjLm

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\242166e4707c1703abb52f6e02668ab422995919b7d9173d76f207d518742c5d.exe
    "C:\Users\Admin\AppData\Local\Temp\242166e4707c1703abb52f6e02668ab422995919b7d9173d76f207d518742c5d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\system32\cmd.exe
      cmd " /c " C:\Users\Admin\AppData\Local\Temp\sdp升级详细文档.docx
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\sdp升级详细文档.docx"
        3⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          4⤵
            PID:680
      • C:\Users\Public\WeChat.exe
        C:\Users\Public\WeChat.exe
        2⤵
        • Executes dropped EXE
        PID:1520

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      b31cbc6380ce963598725ad187423514

      SHA1

      269efca39974f0ecd9b7c8642a326f8d81d4990c

      SHA256

      d3137ea1248e0757f7ed203f416dfbfdbc87e5fdc9b42e300f4514f41a07864a

      SHA512

      1ecfd4138ca28304599b980e8aa3a419d51e4ac9dd80bebbf1a4e179898c414ecadbc098833161632a0c7ea6aeea830f2b8fddc08332d012119a12480c7f37a0

      Download Submit

    • C:\Users\Public\WeChat.exe
      Filesize

      128KB

      MD5

      44c31ea1ca03e1e344346b24904e07cf

      SHA1

      ec69273486b199dcbdcb2d902e7b44548c9b2ac7

      SHA256

      0c17375fae0d3d47a76c3b6f188711aac7b3f84f33efe1d56b9bf4781363788f

      SHA512

      d69982a7df9cad3872eb2d32e1edee0de67beedd0c2712eda5e65c3b78cb14eab3a35a2033840a480db99d5ad7a3342318864a58c1120bf55b01f1fba1505494

      Download Submit

    • \Users\Public\WeChat.exe
      Filesize

      128KB

      MD5

      44c31ea1ca03e1e344346b24904e07cf

      SHA1

      ec69273486b199dcbdcb2d902e7b44548c9b2ac7

      SHA256

      0c17375fae0d3d47a76c3b6f188711aac7b3f84f33efe1d56b9bf4781363788f

      SHA512

      d69982a7df9cad3872eb2d32e1edee0de67beedd0c2712eda5e65c3b78cb14eab3a35a2033840a480db99d5ad7a3342318864a58c1120bf55b01f1fba1505494

      Download Submit

    • memory/2780-27-0x000000002FEB1000-0x000000002FEB2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2780-29-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2780-30-0x00000000710DD000-0x00000000710E8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2780-38-0x00000000710DD000-0x00000000710E8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2780-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2780-55-0x00000000710DD000-0x00000000710E8000-memory.dmp

      Filesize

      44KB

      Download