Analysis
-
max time kernel
151s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 14:11
Behavioral task
behavioral1
Sample
b9d72d1c9c8b68ab90f20104510f7788.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
b9d72d1c9c8b68ab90f20104510f7788.exe
Resource
win10v2004-20231215-en
General
-
Target
b9d72d1c9c8b68ab90f20104510f7788.exe
-
Size
821KB
-
MD5
b9d72d1c9c8b68ab90f20104510f7788
-
SHA1
93c9138ef2fa00636701c26abd5b97c43f854f9f
-
SHA256
fe483a42cd66f760774449e8fcdabd303640476b119c8a2d1d053dce41e5f19e
-
SHA512
689216add468e91ecf6d8121edc5b5ca61e77e6e1a1230bde2491c8aea86909d46ad2ece6bd818e5f200a3194975f704d2f8b0c6029c010f42730693b8a79080
-
SSDEEP
12288:tiRbwtuIZcR7yb4QpfMjQbpgE4PhR7sla0cTREgCflO9dJ5IECpxOokLZsCtQw1l:UsusL0jNPvAPsLCcjukL2CDYO
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2856 b9d72d1c9c8b68ab90f20104510f7788.exe -
Executes dropped EXE 1 IoCs
pid Process 2856 b9d72d1c9c8b68ab90f20104510f7788.exe -
Loads dropped DLL 1 IoCs
pid Process 2988 b9d72d1c9c8b68ab90f20104510f7788.exe -
resource yara_rule behavioral1/memory/2988-0-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral1/files/0x000c0000000133bd-11.dat upx behavioral1/files/0x000c0000000133bd-17.dat upx behavioral1/memory/2988-16-0x0000000023030000-0x000000002328C000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2880 schtasks.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2 b9d72d1c9c8b68ab90f20104510f7788.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 b9d72d1c9c8b68ab90f20104510f7788.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 b9d72d1c9c8b68ab90f20104510f7788.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405 b9d72d1c9c8b68ab90f20104510f7788.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2988 b9d72d1c9c8b68ab90f20104510f7788.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2988 b9d72d1c9c8b68ab90f20104510f7788.exe 2856 b9d72d1c9c8b68ab90f20104510f7788.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2988 wrote to memory of 2856 2988 b9d72d1c9c8b68ab90f20104510f7788.exe 19 PID 2988 wrote to memory of 2856 2988 b9d72d1c9c8b68ab90f20104510f7788.exe 19 PID 2988 wrote to memory of 2856 2988 b9d72d1c9c8b68ab90f20104510f7788.exe 19 PID 2988 wrote to memory of 2856 2988 b9d72d1c9c8b68ab90f20104510f7788.exe 19 PID 2856 wrote to memory of 2880 2856 b9d72d1c9c8b68ab90f20104510f7788.exe 25 PID 2856 wrote to memory of 2880 2856 b9d72d1c9c8b68ab90f20104510f7788.exe 25 PID 2856 wrote to memory of 2880 2856 b9d72d1c9c8b68ab90f20104510f7788.exe 25 PID 2856 wrote to memory of 2880 2856 b9d72d1c9c8b68ab90f20104510f7788.exe 25 PID 2856 wrote to memory of 2748 2856 b9d72d1c9c8b68ab90f20104510f7788.exe 33 PID 2856 wrote to memory of 2748 2856 b9d72d1c9c8b68ab90f20104510f7788.exe 33 PID 2856 wrote to memory of 2748 2856 b9d72d1c9c8b68ab90f20104510f7788.exe 33 PID 2856 wrote to memory of 2748 2856 b9d72d1c9c8b68ab90f20104510f7788.exe 33 PID 2748 wrote to memory of 2740 2748 cmd.exe 34 PID 2748 wrote to memory of 2740 2748 cmd.exe 34 PID 2748 wrote to memory of 2740 2748 cmd.exe 34 PID 2748 wrote to memory of 2740 2748 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9d72d1c9c8b68ab90f20104510f7788.exe"C:\Users\Admin\AppData\Local\Temp\b9d72d1c9c8b68ab90f20104510f7788.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\b9d72d1c9c8b68ab90f20104510f7788.exeC:\Users\Admin\AppData\Local\Temp\b9d72d1c9c8b68ab90f20104510f7788.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\b9d72d1c9c8b68ab90f20104510f7788.exe" /TN x1iLRz9v069a /F3⤵
- Creates scheduled task(s)
PID:2880
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN x1iLRz9v069a > C:\Users\Admin\AppData\Local\Temp\ZfEFS3FOY.xml3⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN x1iLRz9v069a4⤵PID:2740
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a210c1b79b6ab04f7314c9551e8bf973
SHA1355041d2bf3d99e5ac3354a34013dd96f1b9af8a
SHA256947e1c4d03714316c2fc819da2522e596e80e1632e980785845c836138d49fe8
SHA512f59935f04aeeb116080a239edcd55a1c73deff7d9cee53665807edcfdcaffa0f76cc4e8851f9a35701672535ea06a6d70d7e5dd99e9b150fa86e26b047e8a1f8
-
Filesize
198KB
MD5db4ba6e5f3bf8e9740719dda25757c42
SHA1748ce4d34caf877ea92a3d5e5aa0f2d5fd86d273
SHA256d44604c2102330b2e31daed2a3f2eee5f9a66848da885dfb371fa22a6aca3233
SHA51255860218fa890da8457ebdf357b95eafbf5d4066d173260d55f84d7e98ce65913bfe2990ecb8e752607257e054a191656767b40db9a2ef1425270fdd9bdee31f
-
Filesize
283KB
MD576d9584616ec3dd4da38214c6edfbe21
SHA1d400f7519d05cbed36f66bdd17f9110c57364bc5
SHA2563d1b3c1b1b16d6dab0489adf00249d62ac916dfb31ffec9ff85db7533b6060da
SHA51212d1ed0215ed043bc42fd2138d41c660d4014f1b072a3bb3e02202ff094780802c00a34aeffa5571788c2f1118bab706cf0d1b3075a83d4c2b5711ff84554804