Analysis

  • max time kernel
    120s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2023, 14:58

General

  • Target

    file.exe

  • Size

    1.4MB

  • MD5

    52004103058f5a84c12ce81799aa7f4b

  • SHA1

    ab2f4b6a202e9d79695165147129f68cc52a38a6

  • SHA256

    a1991359a4031e2dd5d238748184212ff2c7c8b51848dbdcd35b762787f1aae5

  • SHA512

    916ff0113dfbc63dc881f77da3cf1ace8be65b4ad15976970df121f844c80bad0d7a87d763a144cfca15fbcb768458e7f321ddc690afba3f6874f33396a1094e

  • SSDEEP

    24576:+yl2yZYl0YwPwAprTjvU7jECi2Ue7R623orbguop1aKu5UaWuXPcUzZk7pKyV58:Ncyi234ARTjqjZeCB3orQpcJ5UaWuNWz

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 12 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2980
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2912
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3000
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2612
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2680
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 272
              6⤵
              • Loads dropped DLL
              • Program crash
              PID:2628

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe

          Filesize

          1.3MB

          MD5

          0c572fbe41cbb0572c8800f24702de24

          SHA1

          78fac8edfc9a499008ecaa4f51b6d60b5191e94f

          SHA256

          fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32

          SHA512

          5efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe

          Filesize

          1.3MB

          MD5

          0c572fbe41cbb0572c8800f24702de24

          SHA1

          78fac8edfc9a499008ecaa4f51b6d60b5191e94f

          SHA256

          fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32

          SHA512

          5efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe

          Filesize

          894KB

          MD5

          9f326be1d6b50927040011f3a65a0ef6

          SHA1

          439a6acdf37c927bbc92e3e41726ff1ca4a3e684

          SHA256

          57f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333

          SHA512

          93f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe

          Filesize

          894KB

          MD5

          9f326be1d6b50927040011f3a65a0ef6

          SHA1

          439a6acdf37c927bbc92e3e41726ff1ca4a3e684

          SHA256

          57f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333

          SHA512

          93f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe

          Filesize

          533KB

          MD5

          2a2c3dcda47bdfbeed60f4d14c72bc38

          SHA1

          5648dc8b940ba0f0f732c507a169425c8f7783fe

          SHA256

          22eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9

          SHA512

          0a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe

          Filesize

          533KB

          MD5

          2a2c3dcda47bdfbeed60f4d14c72bc38

          SHA1

          5648dc8b940ba0f0f732c507a169425c8f7783fe

          SHA256

          22eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9

          SHA512

          0a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

          Filesize

          232KB

          MD5

          3ff825411b1fe07e712a5dcae34f80eb

          SHA1

          e3e4358cabfa74d6e36e26754b01ed78434a6877

          SHA256

          69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

          SHA512

          325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

          Filesize

          232KB

          MD5

          3ff825411b1fe07e712a5dcae34f80eb

          SHA1

          e3e4358cabfa74d6e36e26754b01ed78434a6877

          SHA256

          69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

          SHA512

          325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

        • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe

          Filesize

          1.3MB

          MD5

          0c572fbe41cbb0572c8800f24702de24

          SHA1

          78fac8edfc9a499008ecaa4f51b6d60b5191e94f

          SHA256

          fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32

          SHA512

          5efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb

        • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe

          Filesize

          1.3MB

          MD5

          0c572fbe41cbb0572c8800f24702de24

          SHA1

          78fac8edfc9a499008ecaa4f51b6d60b5191e94f

          SHA256

          fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32

          SHA512

          5efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb

        • \Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe

          Filesize

          894KB

          MD5

          9f326be1d6b50927040011f3a65a0ef6

          SHA1

          439a6acdf37c927bbc92e3e41726ff1ca4a3e684

          SHA256

          57f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333

          SHA512

          93f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5

        • \Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe

          Filesize

          894KB

          MD5

          9f326be1d6b50927040011f3a65a0ef6

          SHA1

          439a6acdf37c927bbc92e3e41726ff1ca4a3e684

          SHA256

          57f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333

          SHA512

          93f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5

        • \Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe

          Filesize

          533KB

          MD5

          2a2c3dcda47bdfbeed60f4d14c72bc38

          SHA1

          5648dc8b940ba0f0f732c507a169425c8f7783fe

          SHA256

          22eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9

          SHA512

          0a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5

        • \Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe

          Filesize

          533KB

          MD5

          2a2c3dcda47bdfbeed60f4d14c72bc38

          SHA1

          5648dc8b940ba0f0f732c507a169425c8f7783fe

          SHA256

          22eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9

          SHA512

          0a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5

        • \Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

          Filesize

          232KB

          MD5

          3ff825411b1fe07e712a5dcae34f80eb

          SHA1

          e3e4358cabfa74d6e36e26754b01ed78434a6877

          SHA256

          69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

          SHA512

          325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

        • \Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

          Filesize

          232KB

          MD5

          3ff825411b1fe07e712a5dcae34f80eb

          SHA1

          e3e4358cabfa74d6e36e26754b01ed78434a6877

          SHA256

          69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

          SHA512

          325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

        • \Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

          Filesize

          232KB

          MD5

          3ff825411b1fe07e712a5dcae34f80eb

          SHA1

          e3e4358cabfa74d6e36e26754b01ed78434a6877

          SHA256

          69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

          SHA512

          325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

        • \Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

          Filesize

          232KB

          MD5

          3ff825411b1fe07e712a5dcae34f80eb

          SHA1

          e3e4358cabfa74d6e36e26754b01ed78434a6877

          SHA256

          69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

          SHA512

          325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

        • \Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

          Filesize

          232KB

          MD5

          3ff825411b1fe07e712a5dcae34f80eb

          SHA1

          e3e4358cabfa74d6e36e26754b01ed78434a6877

          SHA256

          69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

          SHA512

          325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

        • \Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe

          Filesize

          232KB

          MD5

          3ff825411b1fe07e712a5dcae34f80eb

          SHA1

          e3e4358cabfa74d6e36e26754b01ed78434a6877

          SHA256

          69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

          SHA512

          325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

        • memory/2680-40-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

        • memory/2680-45-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

        • memory/2680-49-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

        • memory/2680-47-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

        • memory/2680-43-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

        • memory/2680-44-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

          Filesize

          4KB

        • memory/2680-42-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

        • memory/2680-41-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB