Overview

overview

7

Static

static

3

05469e24bd...4e.exe

windows7-x64

7

05469e24bd...4e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    240s
  • max time network
    280s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 04:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05469e24bd9fc5b10271cca5ab1e9b4e.exe

  • Size

    323KB

  • MD5

    05469e24bd9fc5b10271cca5ab1e9b4e

  • SHA1

    4a836f602bda13243ce69776c5343255e8690bbd

  • SHA256

    e4fb7d3f5437f91f4159bb0c8e10addf1d775c5ff5374fc4cd0328064e663ad7

  • SHA512

    fd2eff1f7a079e92006bdf7850cacf2d06aca3d0c4ef1529d257bc4957f67e9285b817dd220843973a76e8e96156d92a7b46331f172ff66930489d138916c1bd

  • SSDEEP

    1536:FkoVgaYJLFfLJEUI1qeXxyGA3N5eyD8SlNDSzvHFRiCCVGCWPGeSe+eooOoaoCok:/tYJLFfLoWGA3N5ecYxo

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05469e24bd9fc5b10271cca5ab1e9b4e.exe
    "C:\Users\Admin\AppData\Local\Temp\05469e24bd9fc5b10271cca5ab1e9b4e.exe"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer start page
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo C:\WINDOWS\ddhnj.vbs
      2⤵
        PID:2684
      • C:\Users\Admin\AppData\Local\Temp\Del983A.tmp
        C:\Users\Admin\AppData\Local\Temp\Del983A.tmp 300 "C:\Users\Admin\AppData\Local\Temp\05469e24bd9fc5b10271cca5ab1e9b4e.exe"
        2⤵
        • Deletes itself
        • Executes dropped EXE
        • Drops file in Windows directory
        • Modifies Internet Explorer start page
        • Suspicious use of WriteProcessMemory
        PID:2252
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\system32\wscript.exe" /nologo C:\WINDOWS\ddhnj.vbs
          3⤵
            PID:1952

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Del983A.tmp
        Filesize

        323KB

        MD5

        05469e24bd9fc5b10271cca5ab1e9b4e

        SHA1

        4a836f602bda13243ce69776c5343255e8690bbd

        SHA256

        e4fb7d3f5437f91f4159bb0c8e10addf1d775c5ff5374fc4cd0328064e663ad7

        SHA512

        fd2eff1f7a079e92006bdf7850cacf2d06aca3d0c4ef1529d257bc4957f67e9285b817dd220843973a76e8e96156d92a7b46331f172ff66930489d138916c1bd

        Download Submit

      • C:\WINDOWS\ddhnj.vbs
        Filesize

        266KB

        MD5

        8e5915159074918ea4d04bf06715a4c4

        SHA1

        8e98a3568fe653d890c8e58d78e3f094a60d922f

        SHA256

        f9553d6e62cd2c65b0defa28c3cb990811bf6c4e56d017b569752b88b5e2b223

        SHA512

        3aa84269f5e53645c4877c90830438d19d3e0b3dabfb65376e5305b06beb5ccb9f95e38bf0a3479078ad64d7cfdc26f0a87eda8466d67b0a66ee0922d3e27201

        Download Submit