Analysis
-
max time kernel
22s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 21:44
Static task
static1
Behavioral task
behavioral1
Sample
13892f89e644f5b87947c4513d1eeac2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
13892f89e644f5b87947c4513d1eeac2.exe
Resource
win10v2004-20231215-en
General
-
Target
13892f89e644f5b87947c4513d1eeac2.exe
-
Size
61KB
-
MD5
13892f89e644f5b87947c4513d1eeac2
-
SHA1
6833e1303ffb2c81473d89853b6d353fa867c055
-
SHA256
7b9647cc799f98bc2af9f7f1ea1e74b746277ea21da8f6a68c69bdff6971faf0
-
SHA512
5cfff4d25fb10b8abd369546885899e2c20c3c8708bc226f52bfee3e8ad24f765d7bdc057cd9da12899da6e1c754c4f6ccb3a5a420771fba15f5da49a14adb37
-
SSDEEP
1536:I5yMHaeuzu8bW5ffqnbVmXkWyb5j7XntdUx1ID+:QyRNnbWqakWyxXnPs1Iy
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\rmffxr\Parameters\ServiceDll = "%SystemRoot%\\System32\\vawavf.dll" 13892f89e644f5b87947c4513d1eeac2.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\rmffxr\Parameters\ServiceDll = "%SystemRoot%\\System32\\vawavf.dll" 13892f89e644f5b87947c4513d1eeac2.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\rmffxr\Parameters\ServiceDll = "%SystemRoot%\\System32\\vawavf.dll" 13892f89e644f5b87947c4513d1eeac2.exe -
Loads dropped DLL 2 IoCs
pid Process 1984 13892f89e644f5b87947c4513d1eeac2.exe 2668 svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\00067ea9.ini 13892f89e644f5b87947c4513d1eeac2.exe File created C:\Windows\SysWOW64\vawavf.dll 13892f89e644f5b87947c4513d1eeac2.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13892f89e644f5b87947c4513d1eeac2.exe"C:\Users\Admin\AppData\Local\Temp\13892f89e644f5b87947c4513d1eeac2.exe"1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:1984
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -Krmffxr1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5e32243f5c4c0e43bb61d7c1c71c12867
SHA16f33adeec62f25b20871c1fc8685c29fb6440690
SHA25627271565e6dc1166ab92bdd3583f6938358f2b22595d9a12bdd5159f6191fd48
SHA5120be0fa87c83063ba107b521281a93412dd3da147fecfc9c249ca2353b5fa2298b2e5d1b2ef61b7c7b62d29ef3fb11d1e46215136a0b9194308930667ee47bf86