Overview

overview

7

Static

static

3

00d7e08828...99.exe

windows7-x64

6

00d7e08828...99.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 14:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    00d7e08828911741722e34c8f7f02a99.exe

  • Size

    146KB

  • MD5

    00d7e08828911741722e34c8f7f02a99

  • SHA1

    47a66839d7fa7101bc475909b3240d8fe530263b

  • SHA256

    e7bb20873cd61e6bea3e332317f63bb7e091d574d854af3ed2b96b57168bb767

  • SHA512

    2011f3063c2a454c51d16a8b5d0342acfbc0f5c43b0f92b1fcdbff72af4aeaf7485d700aec5ac01828b7ea073297beaaf88c5657f6c80e3040d415af724d775b

  • SSDEEP

    3072:cPQt3aMxzd3o9fUPHC56IXsLkce6p23CskJXljt/wOl2RkU/Ik:cPhaCEHpMGljt/RYkUr

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 9 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00d7e08828911741722e34c8f7f02a99.exe
    "C:\Users\Admin\AppData\Local\Temp\00d7e08828911741722e34c8f7f02a99.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt1314.bat
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Windows\inf\inetsvr.inf
        3⤵
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Windows\SysWOW64\runonce.exe
          "C:\Windows\system32\runonce.exe" -r
          4⤵
          • Checks processor information in registry
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\SysWOW64\grpconv.exe
            "C:\Windows\System32\grpconv.exe" -o
            5⤵
              PID:2696
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2604
        • C:\Windows\SysWOW64\sc.exe
          sc config inetsvr type= interact type= own
          3⤵
          • Launches sc.exe
          PID:2752
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\inf\rsed.vbs"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:676
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Windows\inf\jkk.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:968
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              5⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2140
            • C:\Windows\SysWOW64\find.exe
              find "360tray.exe"
              5⤵
                PID:2012

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\bt1314.bat
              Filesize

              2KB

              MD5

              7d3dfd750061099dacdd91f8e5f54a0c

              SHA1

              bba9aa38ebb8ffdb16d9cdf621fa60b1b04f9c44

              SHA256

              029b69bb5cd8cefa2efca4ef0a2cf12a1312ec313cecd32430fb61fed69dbf9b

              SHA512

              aec03644e5d17f8acf1728e336426504747eddbad992a8214844e0366c8144234f96c75b2e88c18bfc7dd23e5e0d40e6dce0eb61f38fd568e03adc671317e55e

              Download Submit

            • C:\Windows\inf\inetsvr.inf
              Filesize

              346B

              MD5

              8ad4049ca4d11e7537500ccb1de4d957

              SHA1

              d7d3c43e515bec5018bb174eb3f621b80bb3fda4

              SHA256

              1074d17ea22c857c6362a8cb4e955f8f0486fdb26bcc2fb685441b17b20fca72

              SHA512

              dd8e7af519b477fc5de9f4529d203deec283e77aadaf5e9a4e84cb0d3ec2381823c57f8364dc1572c7cd6de6fa04a336f5746d6f04d3ed8a7fa835713a5d24b1

              Download Submit

            • C:\Windows\inf\jkk.bat
              Filesize

              585B

              MD5

              f60f4805d914c2742e642cce87021158

              SHA1

              0917af7506b2af8a28abfc0b18090329bedcfe58

              SHA256

              29d698171d6f7c405720f0c2159268d9619ce4e60fb5a61caaaff7692e847d94

              SHA512

              a6d8da3c4e874f177947fe88d34e77785a8e609b0b4672655a690527435b3777692ded4f127e9b2fe0aefbff5aaf6be5b7685bf7b34e6cf5985a7d9ad8db15a2

              Download Submit

            • C:\Windows\inf\rsed.vbs
              Filesize

              104B

              MD5

              5fac8324735dbb5054f81d3ef5a4e2b1

              SHA1

              baab907793fac80cdd6de4ddfbe4a7cddad4e92c

              SHA256

              bd689762f1899070714ee0d1059d0230547b1c1c93718409872f075d517d041c

              SHA512

              a9d23f657060fac4a607b5653ecf05a7f785316bfc9819020ba3cefedcbb6e9a301909cbe191916fc279207821a6c46e78f2de9861d7a0c20565e15df398a0a0

              Download Submit

            • C:\Windows\inf\rstd.bat
              Filesize

              81B

              MD5

              44d64767bb9322977f22f4daf988977b

              SHA1

              60f5f01f137f53fbc8198f93b99cba18b74b8d3d

              SHA256

              f227dd417c36aeb3fb1052b9464a37f812d9104f09efa49b732df75111e171d6

              SHA512

              9464fb6fe595c576b1ef1984efe3e8a1b4f201452d683713e38b9e9feeaff21b3798a462192e8d01d1f40b29bdbfbbc2b2262f9695cd586d8ba8aba745999859

              Download Submit

            • memory/2212-62-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

              Download