Analysis
-
max time kernel
105s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2023 19:17
Static task
static1
Behavioral task
behavioral1
Sample
0cd10363ce029621f9faf3666115e6b1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0cd10363ce029621f9faf3666115e6b1.exe
Resource
win10v2004-20231222-en
General
-
Target
0cd10363ce029621f9faf3666115e6b1.exe
-
Size
14KB
-
MD5
0cd10363ce029621f9faf3666115e6b1
-
SHA1
cfa63e2702b213b883209692ce9be1280ebe0f0c
-
SHA256
7de51490518a356cd6bc88c4dbaaf60a5e7cd98c0a64abfb20381949c07b3bc1
-
SHA512
5b70a40f77764317fc10b24998fa2b6d8bf755cc57caffa0ebe4b65a19ac030f3fb8348add2cc372e8bb290eaee7edd34c370985a07a5e3460de8e31297377b9
-
SSDEEP
384:XhRw+4SElgjLXRgpZwquGym+WWvDNgAPr:Xh14WX0uGzRWrNgAPr
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2576 ravztmon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ravztmon = "C:\\Program Files\\NetMeeting\\ravztmon.exe" ravztmon.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files\NetMeeting\ravztmon.exe 0cd10363ce029621f9faf3666115e6b1.exe File created C:\Program Files\NetMeeting\ravztmon.exe 0cd10363ce029621f9faf3666115e6b1.exe File opened for modification C:\Program Files\NetMeeting\ravztmon.cfg ravztmon.exe File opened for modification C:\Program Files\NetMeeting\ravztmon.dat ravztmon.exe File created C:\Program Files\NetMeeting\ravztmon.dat ravztmon.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4468 0cd10363ce029621f9faf3666115e6b1.exe 4468 0cd10363ce029621f9faf3666115e6b1.exe 4468 0cd10363ce029621f9faf3666115e6b1.exe 4468 0cd10363ce029621f9faf3666115e6b1.exe 2576 ravztmon.exe 2576 ravztmon.exe 2576 ravztmon.exe 2576 ravztmon.exe 2576 ravztmon.exe 2576 ravztmon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2576 ravztmon.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4468 wrote to memory of 2576 4468 0cd10363ce029621f9faf3666115e6b1.exe 26 PID 4468 wrote to memory of 2576 4468 0cd10363ce029621f9faf3666115e6b1.exe 26 PID 4468 wrote to memory of 2576 4468 0cd10363ce029621f9faf3666115e6b1.exe 26 PID 2576 wrote to memory of 3568 2576 ravztmon.exe 51 PID 4468 wrote to memory of 2836 4468 0cd10363ce029621f9faf3666115e6b1.exe 22 PID 4468 wrote to memory of 2836 4468 0cd10363ce029621f9faf3666115e6b1.exe 22 PID 4468 wrote to memory of 2836 4468 0cd10363ce029621f9faf3666115e6b1.exe 22
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cd10363ce029621f9faf3666115e6b1.exe"C:\Users\Admin\AppData\Local\Temp\0cd10363ce029621f9faf3666115e6b1.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\0cd10363ce029621f9faf3666115e6b1.exe"2⤵PID:2836
-
-
C:\Program Files\NetMeeting\ravztmon.exe"C:\Program Files\NetMeeting\ravztmon.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD50cd10363ce029621f9faf3666115e6b1
SHA1cfa63e2702b213b883209692ce9be1280ebe0f0c
SHA2567de51490518a356cd6bc88c4dbaaf60a5e7cd98c0a64abfb20381949c07b3bc1
SHA5125b70a40f77764317fc10b24998fa2b6d8bf755cc57caffa0ebe4b65a19ac030f3fb8348add2cc372e8bb290eaee7edd34c370985a07a5e3460de8e31297377b9