Overview

overview

7

Static

static

3

00de8624e1...f2.exe

windows7-x64

7

00de8624e1...f2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2023 14:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00de8624e1b252c5de3a95453be1b6f2.exe

  • Size

    480KB

  • MD5

    00de8624e1b252c5de3a95453be1b6f2

  • SHA1

    dbf51de96f8c68e11575ccaf62260b2cd4b4e7e2

  • SHA256

    a9c0ffb7c8bde11ccbd31e04d225e5eb901e84fbb4f8278744c807a434b9bde8

  • SHA512

    2b388ffb89234522b92a6b7bdabcde33db6bb6ca62b0ff344861659ae5c041218c1c389c7aef136536726de365afb0d1400a9e3c8e1085f23319ee51fe98eadd

  • SSDEEP

    6144:/K85clMQdCsA0CQ5f2oj1zSyB4rBfL1RCaSC0e7DETTq7xPRU3PFgx0bAhX:/K2SCf0P52oEyq1R3/UaNPRWPq6Q

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 17 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 17 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\00de8624e1b252c5de3a95453be1b6f2.exe
    "C:\Users\Admin\AppData\Local\Temp\00de8624e1b252c5de3a95453be1b6f2.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Windows\SysWOW64\N0TEPAD.EXE
      C:\Windows\system32\N0TEPAD.EXE
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2788
      • C:\Windows\SysWOW64\net1.exe
        net1.exe stop Alerter
        3⤵
          PID:2616
        • C:\Windows\SysWOW64\regedit.exe
          regedit.exe /s C:\Windows\system32\WinAlert.dll
          3⤵
          • Runs regedit.exe
          PID:2976
        • C:\Windows\SysWOW64\net1.exe
          net1.exe start Alerter
          3⤵
            PID:756
          • C:\Windows\SysWOW64\net1.exe
            net1.exe stop SharedAccess
            3⤵
              PID:1028
          • C:\Windows\ZIP.exe
            C:\Windows\ZIP.exe
            2⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of SetWindowsHookEx
            PID:2724
          • C:\Windows\SysWOW64\CMD.EXE
            C:\Windows\system32\CMD.EXE /C DEL /Q/F/S F:\*.GHO
            2⤵
              PID:2568
          • C:\Windows\SysWOW64\WBEM\SVCHOST.EXE
            C:\Windows\SysWOW64\WBEM\SVCHOST.EXE
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1488
            • C:\Windows\SysWOW64\net1.exe
              net1.exe start Alerter
              2⤵
                PID:2740

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\MSINET.OCX
              Filesize

              112KB

              MD5

              7bec181a21753498b6bd001c42a42722

              SHA1

              3249f233657dc66632c0539c47895bfcee5770cc

              SHA256

              73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

              SHA512

              d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

              Download Submit

            • C:\Windows\SysWOW64\N0TEPAD.EXE
              Filesize

              47KB

              MD5

              9df87f8c609854d35b878c25b4fbb15f

              SHA1

              e9f71798788987e157c2a009df4c0ab2dd1a11bb

              SHA256

              76390321c50bc2ea584fdd874287f997d901e9e3b247a6c296fe30d47762cc39

              SHA512

              3ccc74ec08e34e6c6a8dc831500510493d9286a64e294040173eda278a478fa08a0cabd76c674a21a5d8a3187ff09e7d5d41a2e19912f3dc30f92130a7e31def

              Download Submit

            • C:\Windows\SysWOW64\NTSVC.OCX
              Filesize

              33KB

              MD5

              623eb10ca0eb3bd2f10fc1e0e78a0941

              SHA1

              52a120192ae8485e6bfaf39488a65ed3d7a07740

              SHA256

              c948b4196833ba2124dcdf224973d1640b101721729faec6c2e47424b1fb01a5

              SHA512

              a0a8e2dffb8d7a3ba16dfbcffac31083a4a88cec63918e88f6873409e0ee041188c9fdc745eb813c5de61330a9e768a195f40da557ce18419334d96344a1233d

              Download Submit

            • C:\Windows\SysWOW64\WinAlert.dll
              Filesize

              2KB

              MD5

              9b8dce245bbef4deaa6f2ffcd64ee5b7

              SHA1

              8553e541bc13758baa27f8a30762743b7e088534

              SHA256

              65b635b8ef6ab8f779ae9cc5cf45f1cb7544fd50e76db8f1d3038b5fed0cdfbb

              SHA512

              fc750d8f1f2e4a54cd5bf0d4869b5d961003b39042af7c077f1956bd5b036048ebad21d98ed55079a9412719ff6adcc07783a6aa608ac3cc7e5f09b0e1f1a7e0

              Download Submit

            • C:\Windows\ZIP.exe
              Filesize

              152KB

              MD5

              2e5838ea222348b7aee30737d0bd0846

              SHA1

              bac59f09587484831d3b759071e9bb5184da6ff2

              SHA256

              38d4f11cced8d1a6939a87019e66ee0bb5eeb4a6f56b398f0561212ebe020b18

              SHA512

              b2c32c96313c226b741f0bee6f3c9d97a7ea39c69d5b29cc555bc3a47ff01b34423eb6ed40f1b3e55ae07f76b2ccb375127f1050fc982975aae512bdbfaf9e30

              Download Submit

            • \Windows\SysWOW64\MSWINSCK.OCX
              Filesize

              108KB

              MD5

              e2ed33081890d5dd719a309d3946d6c2

              SHA1

              cc3e60ba8475089676aa402cb62223366ff58f34

              SHA256

              114c16f459eaeedc81817edde2f33ebb65c8c093aa66dd98a599395a07c4e061

              SHA512

              5a202c03615b58dea5d7fa641b6583f7463b8b68a9540912151b4ddb427466c4e1aaf87c8b1800f70be03d6008fd84add7d601000697c156031f9139dab85fac

              Download Submit

            • memory/1488-63-0x0000000000220000-0x0000000000222000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1488-74-0x0000000000400000-0x0000000000431000-memory.dmp

              Filesize

              196KB

              Download

            • memory/1488-70-0x0000000022170000-0x000000002218D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/2448-18-0x0000000001E20000-0x0000000001E51000-memory.dmp

              Filesize

              196KB

              Download

            • memory/2448-25-0x0000000001E20000-0x0000000001E51000-memory.dmp

              Filesize

              196KB

              Download

            • memory/2788-28-0x00000000002A0000-0x00000000002A2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2788-56-0x0000000022170000-0x000000002218D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/2788-58-0x0000000022170000-0x000000002218D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/2788-55-0x0000000000400000-0x0000000000431000-memory.dmp

              Filesize

              196KB

              Download

            • memory/2788-30-0x0000000000400000-0x0000000000431000-memory.dmp

              Filesize

              196KB

              Download

            • memory/2788-72-0x0000000000400000-0x0000000000431000-memory.dmp

              Filesize

              196KB

              Download

            • memory/2788-27-0x0000000000400000-0x0000000000431000-memory.dmp

              Filesize

              196KB

              Download