Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-12-2023 23:55
Static task
static1
Behavioral task
behavioral1
Sample
1b1a115d197506fe367806281b279dc6.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1b1a115d197506fe367806281b279dc6.exe
Resource
win10v2004-20231215-en
General
-
Target
1b1a115d197506fe367806281b279dc6.exe
-
Size
703KB
-
MD5
1b1a115d197506fe367806281b279dc6
-
SHA1
6c920e35404e12a9b94fdf28d4b8dc692f843fa7
-
SHA256
6c3b6deb520c98c0efa7968bbec15cd1fb7a60c09f00503d025c97bc0116ca5e
-
SHA512
22e3b94ff360592625118f94c94df4d37080a0dbbc0f30e27578b6d0b237ac6c9a6bd3cc6a269c195a390320dbe35d1e4f4ef946c5c7847cd368ea07fcdc4aa3
-
SSDEEP
12288:JDs5xGSWm2AxYi87eTQeOfP6QF8F2Dy7P8F0jpX5zE9r0v1Mkcsf:e5dxTQpTf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2192 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\NIC Drive = "C:\\Users\\Admin\\AppData\\Local\\Postman\\svchost.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3068 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3068 AcroRd32.exe 3068 AcroRd32.exe 3068 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2924 wrote to memory of 3068 2924 1b1a115d197506fe367806281b279dc6.exe 29 PID 2924 wrote to memory of 3068 2924 1b1a115d197506fe367806281b279dc6.exe 29 PID 2924 wrote to memory of 3068 2924 1b1a115d197506fe367806281b279dc6.exe 29 PID 2924 wrote to memory of 3068 2924 1b1a115d197506fe367806281b279dc6.exe 29 PID 2924 wrote to memory of 2192 2924 1b1a115d197506fe367806281b279dc6.exe 30 PID 2924 wrote to memory of 2192 2924 1b1a115d197506fe367806281b279dc6.exe 30 PID 2924 wrote to memory of 2192 2924 1b1a115d197506fe367806281b279dc6.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b1a115d197506fe367806281b279dc6.exe"C:\Users\Admin\AppData\Local\Temp\1b1a115d197506fe367806281b279dc6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Delegation-Visit.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3068
-
-
C:\Users\Admin\AppData\Local\Postman\svchost.exe"C:\Users\Admin\AppData\Local\Postman\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2192
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184KB
MD5c578ee4f05158761b90a020b7dc3a4fd
SHA18167bd66d6b413ca08e04dcc6d2072d8ab11fa55
SHA2567902501e4e1e651774cd5e9e443e1f778214b412ed9b7d0db8df700fd4eb9d4f
SHA512d2f23036ccc8a03770da765c1acdc3b9bfaf8cec16bb06bd61b78be5084830c76824fe0501d7008db43d560355c0ee34158dc8ae318e579932e5bf00ce5ebd68
-
Filesize
3KB
MD5b576c9cc6dae739cebe65932f89d4620
SHA13fdffc29b24e8093e09880ec9e1ad172f3e7cf36
SHA2565946a59c9b584b4808d702753b40524cbc7c4a797157404058f19270b1989c77
SHA5128b6ef7d1cd59d908b3674b49fa8664bf311b9127981714c09a6a36c713e976179204cce3fec83d6b6ee43c0a3772fc14efe66f6d5989373d04c285d1e0fdcd7a
-
Filesize
11KB
MD55dbc7dba0d1d88cc582c77326ad6920c
SHA15769a36dbf02a160c523ced0556d109503528d86
SHA256a536f802e31bb7ab930d526c79127f61ca2e34469a840e07db4a79e9a2cefc3a
SHA512be50bedf03c7be656a1d5ece7c7bdc6475fdf478ac43935be88983203dea1f3b4217e70d09b9dda92c627784acc39a07c81ceb872f45dc4517a8115f8acb6e44