9d64529e7bcffc3fe405cc0d15cb8d1a2d6ccfbc76c592e1643d1ba84997579e

Analysis

max time kernel
141s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe
Size

37KB
MD5

0e3719ddb5e80a1d7a0a8a39dfa73c4f
SHA1

166c018037b7df6437bee180add5342ebf487489
SHA256

9d64529e7bcffc3fe405cc0d15cb8d1a2d6ccfbc76c592e1643d1ba84997579e
SHA512

d7fdcbf2a17a9276b4c81ac0d9fd110056f61b48a36aa9747daf86276c2540ccf4f9394ae060bca443d6d96c5ca4fd2311db48d087e992da2ceac54aef78be7f
SSDEEP

768:XgQkYItDn0dXfeGXHizJq4sZN18pXvnemTrIavNrLg87sBJK:w/RVnSX2GCJqtDeeOIah98K

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3860 set thread context of 3312	3860	0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe	91

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\0ya57q23c.com	0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe
File created	C:\Windows\Fonts\0ya57q23c.com	0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3312	0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe
3312	0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 3312	3860	0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe	91
PID 3860 wrote to memory of 3312	3860	0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe	91
PID 3860 wrote to memory of 3312	3860	0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe	91
PID 3860 wrote to memory of 3312	3860	0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe	91
PID 3860 wrote to memory of 3312	3860	0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe	91
PID 3860 wrote to memory of 3312	3860	0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe	91
PID 3860 wrote to memory of 3312	3860	0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe	91
PID 3860 wrote to memory of 3312	3860	0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe	91

C:\Users\Admin\AppData\Local\Temp\0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe
"C:\Users\Admin\AppData\Local\Temp\0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Users\Admin\AppData\Local\Temp\0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe
  C:\Users\Admin\AppData\Local\Temp\0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3312-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3312-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3312-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3312-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3312-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download