6ed40b29d8cbea35c1fba43b81b4ced3dd22dedb50871ac1168513826f4332ff

Analysis

max time kernel
0s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dcf313c7b9200277a88700ff036b5a3.exe
Size

1.2MB
MD5

1dcf313c7b9200277a88700ff036b5a3
SHA1

2bcf6d85a214e8c5acf6bdf845d51776318e059a
SHA256

6ed40b29d8cbea35c1fba43b81b4ced3dd22dedb50871ac1168513826f4332ff
SHA512

526ab3ad4eef95b92239e5d7d48a0f42fcb04e1b52591bd4cf79e0e51cfc20a24e2918451f6837825b023fe5e4892f7e04b7dfd207cc36b0f54ee61cf1678685
SSDEEP

24576:YaUZCHwO1d1QqbBE2tTBFSZzuKo0gNEPSwDOCzwJSbc7wmersHL:bQqtnLRs6MwJS+7

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.ipify.org
9 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090
Drops file in Windows directory 1 IoCs

Processes:

1dcf313c7b9200277a88700ff036b5a3.exe

description ioc process

File opened for modification C:\Windows\RemoveMenu 1dcf313c7b9200277a88700ff036b5a3.exe

flow	ioc
8	api.ipify.org
9	api.ipify.org

description	ioc	process
File opened for modification	C:\Windows\RemoveMenu	1dcf313c7b9200277a88700ff036b5a3.exe

C:\Users\Admin\AppData\Local\Temp\1dcf313c7b9200277a88700ff036b5a3.exe
"C:\Users\Admin\AppData\Local\Temp\1dcf313c7b9200277a88700ff036b5a3.exe"
1⤵
- Drops file in Windows directory
PID:2496
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    3⤵
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
      "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
      4⤵
      PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\RemoveMenu

Filesize
47B

MD5
2728c5c6b49be46d1a8422b03c925024

SHA1
b02363a7bd2795e4a19608a8f26eecf1e7ed48aa

SHA256
aca64ce1afe69e6c7826171991f91d299bdf271eb2af4cfcabacac28a0bcb635

SHA512
af2d88a5ab2ea3dc542d54c469f2ba160852d47082fb833b98c0987b19318ec9ee8ba713acc0e836d2cf3bc7c2de6d56910fffdd8a9b134278491ed62262bc5c

Download Submit
memory/2284-42315-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/2284-42307-0x00000000000D0000-0x00000000000D2000-memory.dmp

Filesize
8KB

Download
memory/2284-42325-0x0000000004600000-0x0000000004684000-memory.dmp

Filesize
528KB

Download
memory/2284-42316-0x0000000004600000-0x0000000004684000-memory.dmp

Filesize
528KB

Download
memory/2420-42331-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2420-42334-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2420-42352-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2420-42350-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2420-42323-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2420-42324-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/2420-42322-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2420-42349-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2420-42329-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2420-42330-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2420-42333-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2420-42348-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2420-42332-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2420-42342-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2420-42347-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2420-42346-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2420-42344-0x00000000002C0000-0x00000000002DF000-memory.dmp

Filesize
124KB

Download
memory/2496-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2496-42312-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/2496-42306-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/2496-42308-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2496-42309-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download