Analysis
-
max time kernel
148s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-12-2023 19:40
Static task
static1
Behavioral task
behavioral1
Sample
0e398d57f2cca4afda60be9e4ed0b8b1.exe
Resource
win7-20231215-en
General
-
Target
0e398d57f2cca4afda60be9e4ed0b8b1.exe
-
Size
168KB
-
MD5
0e398d57f2cca4afda60be9e4ed0b8b1
-
SHA1
6dfb0682e9c1537650b5c1567945082f32a45054
-
SHA256
16799c21053de11e9b264d7ef82189ee7c6bb0744c407d3b28bbe88ad15e6426
-
SHA512
00e544d0df011fd8ca247b298cd2d9de1dcfe518a83cf54da0dceaad2c39c4bad0c49c6ce2e9e75f1733b050fc4b264a1b72f7e0cd9d0962b447591d15e5a8c0
-
SSDEEP
3072:eOoeFaYy1t654C93yeMwNuXVHbobmYnzBGSHOjfKlPTRCW4jBTM5BDt+09qgVJQK:eJeFoHyLhyuuXVUikzBGSHOjfKlPTRCO
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2600 Service45.exe -
Loads dropped DLL 1 IoCs
pid Process 1716 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 948 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2492 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2204 0e398d57f2cca4afda60be9e4ed0b8b1.exe 2204 0e398d57f2cca4afda60be9e4ed0b8b1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2204 0e398d57f2cca4afda60be9e4ed0b8b1.exe Token: SeDebugPrivilege 2600 Service45.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2868 2204 0e398d57f2cca4afda60be9e4ed0b8b1.exe 29 PID 2204 wrote to memory of 2868 2204 0e398d57f2cca4afda60be9e4ed0b8b1.exe 29 PID 2204 wrote to memory of 2868 2204 0e398d57f2cca4afda60be9e4ed0b8b1.exe 29 PID 2204 wrote to memory of 2868 2204 0e398d57f2cca4afda60be9e4ed0b8b1.exe 29 PID 2204 wrote to memory of 1716 2204 0e398d57f2cca4afda60be9e4ed0b8b1.exe 31 PID 2204 wrote to memory of 1716 2204 0e398d57f2cca4afda60be9e4ed0b8b1.exe 31 PID 2204 wrote to memory of 1716 2204 0e398d57f2cca4afda60be9e4ed0b8b1.exe 31 PID 2204 wrote to memory of 1716 2204 0e398d57f2cca4afda60be9e4ed0b8b1.exe 31 PID 2868 wrote to memory of 948 2868 cmd.exe 33 PID 2868 wrote to memory of 948 2868 cmd.exe 33 PID 2868 wrote to memory of 948 2868 cmd.exe 33 PID 2868 wrote to memory of 948 2868 cmd.exe 33 PID 1716 wrote to memory of 2492 1716 cmd.exe 34 PID 1716 wrote to memory of 2492 1716 cmd.exe 34 PID 1716 wrote to memory of 2492 1716 cmd.exe 34 PID 1716 wrote to memory of 2492 1716 cmd.exe 34 PID 1716 wrote to memory of 2600 1716 cmd.exe 35 PID 1716 wrote to memory of 2600 1716 cmd.exe 35 PID 1716 wrote to memory of 2600 1716 cmd.exe 35 PID 1716 wrote to memory of 2600 1716 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e398d57f2cca4afda60be9e4ed0b8b1.exe"C:\Users\Admin\AppData\Local\Temp\0e398d57f2cca4afda60be9e4ed0b8b1.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Service45" /tr '"C:\Users\Admin\AppData\Roaming\Service45.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Service45" /tr '"C:\Users\Admin\AppData\Roaming\Service45.exe"'3⤵
- Creates scheduled task(s)
PID:948
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7FCA.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2492
-
-
C:\Users\Admin\AppData\Roaming\Service45.exe"C:\Users\Admin\AppData\Roaming\Service45.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5336419e69cc04f9aa8d0dbf0b59f0825
SHA15b3a5139a24d72f403860c99f28b1f49ef502822
SHA2562b620d7e83795b0f772b24e39aa5e03196063e05baba170630e8688b25e0c60e
SHA51287481eec630e019f2050d50454ddcecb719e86542104a42b6c6de3ea145192bec51aa4ed936ed9a4ea8aeb476969b080c8badbdb28fdfa6872829e506110783b
-
Filesize
168KB
MD50e398d57f2cca4afda60be9e4ed0b8b1
SHA16dfb0682e9c1537650b5c1567945082f32a45054
SHA25616799c21053de11e9b264d7ef82189ee7c6bb0744c407d3b28bbe88ad15e6426
SHA51200e544d0df011fd8ca247b298cd2d9de1dcfe518a83cf54da0dceaad2c39c4bad0c49c6ce2e9e75f1733b050fc4b264a1b72f7e0cd9d0962b447591d15e5a8c0