Analysis
-
max time kernel
139s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20/12/2023, 15:47
Behavioral task
behavioral1
Sample
dd2e2cf10a41a07faa2bfc890a30ef28.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
dd2e2cf10a41a07faa2bfc890a30ef28.exe
Resource
win10v2004-20231215-en
General
-
Target
dd2e2cf10a41a07faa2bfc890a30ef28.exe
-
Size
6.9MB
-
MD5
dd2e2cf10a41a07faa2bfc890a30ef28
-
SHA1
fc9e90c465f8457f8e0cff8fdac85b412c09d7e1
-
SHA256
57926c629184179f9f15f942b791bd36bfec63e28b87dd7b2f701b878bba7df4
-
SHA512
ec7da112c4d574bd78aed1648c1586e6eeb851bc7cb9d29969a779cda5eb98ea1709da19dce0ded19192f96c959a7e5af872ad704c16ebb86be759931ca3f53b
-
SSDEEP
196608:fOKzCPwaYLFn9WpTIA6qmF5RZLL9wVzSyUCIQ:f3CHMFApcA69Pn9qSy1
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1720 msconfig.exe 2960 services32.exe 2956 sihost32.exe -
Loads dropped DLL 3 IoCs
pid Process 660 dd2e2cf10a41a07faa2bfc890a30ef28.exe 1720 msconfig.exe 2960 services32.exe -
resource yara_rule behavioral1/memory/660-2-0x0000000000400000-0x0000000000AE3000-memory.dmp vmprotect behavioral1/memory/660-6-0x0000000000400000-0x0000000000AE3000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 660 dd2e2cf10a41a07faa2bfc890a30ef28.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2804 schtasks.exe 112 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 660 dd2e2cf10a41a07faa2bfc890a30ef28.exe 1720 msconfig.exe 2960 services32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1720 msconfig.exe Token: SeDebugPrivilege 2960 services32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 660 wrote to memory of 1720 660 dd2e2cf10a41a07faa2bfc890a30ef28.exe 28 PID 660 wrote to memory of 1720 660 dd2e2cf10a41a07faa2bfc890a30ef28.exe 28 PID 660 wrote to memory of 1720 660 dd2e2cf10a41a07faa2bfc890a30ef28.exe 28 PID 660 wrote to memory of 1720 660 dd2e2cf10a41a07faa2bfc890a30ef28.exe 28 PID 1720 wrote to memory of 3008 1720 msconfig.exe 29 PID 1720 wrote to memory of 3008 1720 msconfig.exe 29 PID 1720 wrote to memory of 3008 1720 msconfig.exe 29 PID 3008 wrote to memory of 2804 3008 cmd.exe 31 PID 3008 wrote to memory of 2804 3008 cmd.exe 31 PID 3008 wrote to memory of 2804 3008 cmd.exe 31 PID 1720 wrote to memory of 2960 1720 msconfig.exe 32 PID 1720 wrote to memory of 2960 1720 msconfig.exe 32 PID 1720 wrote to memory of 2960 1720 msconfig.exe 32 PID 2960 wrote to memory of 2928 2960 services32.exe 35 PID 2960 wrote to memory of 2928 2960 services32.exe 35 PID 2960 wrote to memory of 2928 2960 services32.exe 35 PID 2960 wrote to memory of 2956 2960 services32.exe 37 PID 2960 wrote to memory of 2956 2960 services32.exe 37 PID 2960 wrote to memory of 2956 2960 services32.exe 37 PID 2928 wrote to memory of 112 2928 cmd.exe 38 PID 2928 wrote to memory of 112 2928 cmd.exe 38 PID 2928 wrote to memory of 112 2928 cmd.exe 38 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe"C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Users\Admin\AppData\Roaming\msconfig.exe"C:\Users\Admin\AppData\Roaming\msconfig.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'4⤵
- Creates scheduled task(s)
PID:2804
-
-
-
C:\Users\Admin\AppData\Local\Temp\services32.exe"C:\Users\Admin\AppData\Local\Temp\services32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'5⤵
- Creates scheduled task(s)
PID:112
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"4⤵
- Executes dropped EXE
PID:2956
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD50be8b762903b2a90843b9c3e3db3b471
SHA1e7cf9bcb4c809340ebbd9aeb09bcb76e6468552a
SHA256a937d5e7a70b9c789df57de34f41595107a6277fe4150190363d9661e7b96b3f
SHA51231e44025376097f88f36430e83e08b9457b9e45a44e9b6f5737da0cf5dc339f69a0fd3f015877391a2c5b24dc3f0b3ecb86cd049b1237b11fd4b9b19a3c9dc3b
-
Filesize
864KB
MD523d0f836b2960d74d4d1dac9c3405b66
SHA11b092d1891c5bb6c7f1452127b72f14b4c2c1f79
SHA2565e314bfe4bb54d4f8ae6094bcff31e8c9b75770ca143eec71b6105af02b6eef2
SHA51283a0385f619b2da13f78c8c341f55020cf96cc30cdda2ea73b9dad34ae512387e1fd2e0dce33eb14c0b9bda438a0c03ea3535a4e62020f693946d2696f533219
-
Filesize
826KB
MD5ddbd9ebdd46645157a0eb34edab4358d
SHA189a3f4a367f6fd97f4fd4cb457c2db30bbd6c1bb
SHA2561a35de0fe3cb2b85de3ca0a41606f9db79ea788fab8254bb59f239c2ab901c3c
SHA512db1debf82bc7d5b68302004abc9430494286d06029a046f2390578b11a5b5e6525adac0a17a525a92945d18440a4bf2e2013a256e6288fc29e003f42e2a1f092
-
Filesize
1.4MB
MD55f102f5f09eca1ad0ffec009117b559c
SHA1509b72a2ed190f90263d7e2eb37b5f854137e55c
SHA256e1dbce579b50c0b06b3caa454aa4c1396dac05409d33a2b5790456d6a578548e
SHA5128a06d8a2be8c1f7995818c52ea099e8d6f358cebdb07f3c270d69a27ce64f348639a1422f06f8460947688e0eebd275857ea8820eaa5e900ad4d95d8fd885025
-
Filesize
1.5MB
MD5918a85170b64242730f12ee6fbac0fa2
SHA14efbd541664dd987931e3e6c0bd3cb45ccaa8dbb
SHA2568a7501ca02a7b8e8bbb3693e41fb256e4ee5f5e70cb6fc3f60adc8995240e560
SHA512c1164b55974bb20c31b578b8f0a485c9493f734a5a1d24322728e4e033da0faa7fc7b870e0a94b725f8ab073ab0eaf9da4cc2ce7736957ce3c7acd2c9f250d1c
-
Filesize
1.1MB
MD5247760a2ca78500ed2c87d7e9612436e
SHA1d917191a62c9497ad793f5571265ae45724ca4b2
SHA256005e044eb04a89bdd032b41d0894c34c585dbd3c8a34ce58a69745c2232f1f02
SHA512c78660585df3a21c7a5cd7d934b3d0a823a68790a00f7e959e00a26294cbdfe1b70da71c0e5e5291df93d5883a739b7efb033e5f0cc7f2760e968fee647f3ef9
-
Filesize
8KB
MD51415d3cef8766b64044d48804587e97d
SHA14d5d324dc95cacfffe08a30096c95892ae22660e
SHA256530f0f19333c1b89a59017b7728d0128514f1f18705af48cb4428f87bf833849
SHA51248d0d3ea6abaaf2ed94aceea28ff4de0b8d823de5e35641860e7c9736f860c8491087d5e9a6a108a50e82db8ce0e4cf33efc3d4a390368618939cf92cf594765
-
Filesize
919KB
MD5979861237c93e9a7847102eac3f35f25
SHA16cf8339b30cf877d5160ba39c799a5dda57e15d5
SHA2567c4005388b4aca10385a690a4059758265012b27dccb13ee82f588cee30e6c9a
SHA51224ef07e62b711195c0bddf62101df0d25e45a93dd85efe831d1b081a1011723b852b030eaa3842f3528ebac841e4fca6c4caff1450a69d002dca5998053376a7