Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 05:08
Static task
static1
Behavioral task
behavioral1
Sample
06db6ad7de70064ba8e809d6e393cd6c.exe
Resource
win7-20231129-en
General
-
Target
06db6ad7de70064ba8e809d6e393cd6c.exe
-
Size
877KB
-
MD5
06db6ad7de70064ba8e809d6e393cd6c
-
SHA1
91eaeb9027a2ddd24240c40d33a73cf00855dce5
-
SHA256
ab9127fc33e433f855b366f6838bbd2ed2d509f8abc94f51786dce6db79f22e9
-
SHA512
fa733426007aefc0c7686e6c0142fefb15b29e92bfaae38c5d6eedc161958acd32c291ae1f69e58de409589e1144d41af8bb3b4f05b1bf01079ed33c834ba6c0
-
SSDEEP
24576:MYMLKmtvPyHu71iNpRiby9pNg4W7HMeG3bOAHCwp:niKmHyO0Pwp7s1b
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2264 06db6ad7de70064ba8e809d6e393cd6c.exe 2264 06db6ad7de70064ba8e809d6e393cd6c.exe 2264 06db6ad7de70064ba8e809d6e393cd6c.exe 2264 06db6ad7de70064ba8e809d6e393cd6c.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 06db6ad7de70064ba8e809d6e393cd6c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1244 wrote to memory of 2936 1244 06db6ad7de70064ba8e809d6e393cd6c.exe 28 PID 1244 wrote to memory of 2936 1244 06db6ad7de70064ba8e809d6e393cd6c.exe 28 PID 1244 wrote to memory of 2936 1244 06db6ad7de70064ba8e809d6e393cd6c.exe 28 PID 1244 wrote to memory of 2936 1244 06db6ad7de70064ba8e809d6e393cd6c.exe 28 PID 1244 wrote to memory of 2936 1244 06db6ad7de70064ba8e809d6e393cd6c.exe 28 PID 1244 wrote to memory of 2936 1244 06db6ad7de70064ba8e809d6e393cd6c.exe 28 PID 1244 wrote to memory of 2936 1244 06db6ad7de70064ba8e809d6e393cd6c.exe 28 PID 2936 wrote to memory of 2264 2936 06db6ad7de70064ba8e809d6e393cd6c.exe 29 PID 2936 wrote to memory of 2264 2936 06db6ad7de70064ba8e809d6e393cd6c.exe 29 PID 2936 wrote to memory of 2264 2936 06db6ad7de70064ba8e809d6e393cd6c.exe 29 PID 2936 wrote to memory of 2264 2936 06db6ad7de70064ba8e809d6e393cd6c.exe 29 PID 2936 wrote to memory of 2264 2936 06db6ad7de70064ba8e809d6e393cd6c.exe 29 PID 2936 wrote to memory of 2264 2936 06db6ad7de70064ba8e809d6e393cd6c.exe 29 PID 2936 wrote to memory of 2264 2936 06db6ad7de70064ba8e809d6e393cd6c.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\06db6ad7de70064ba8e809d6e393cd6c.exe"C:\Users\Admin\AppData\Local\Temp\06db6ad7de70064ba8e809d6e393cd6c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\06db6ad7de70064ba8e809d6e393cd6c.exe"C:\Users\Admin\AppData\Local\Temp\06db6ad7de70064ba8e809d6e393cd6c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\06db6ad7de70064ba8e809d6e393cd6c.exe"C:\Users\Admin\AppData\Local\Temp\06db6ad7de70064ba8e809d6e393cd6c.exe"3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2264
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5fb60ba7ef530e0ec3844f0090dbeba80
SHA181bceda0455fa6733d9ff6023eb7a4add3f45da2
SHA256c9a466b02fcf12a9451581cc34b17711aebb208ef6d59a3a9352c400721f1f12
SHA512bb23caaaca156dc7a4ba46ebe5f0da443b6cbeaefc5beafb55762015c60f35f794e1ae2036fc95f69921401f91a9bf9590dc96415d60204e060de4a6a188b297
-
Filesize
5KB
MD544dac7f87bdf94d553f8d2cf073d605d
SHA121bf5d714b9fcab32ba40ff7d36e48c378b67a06
SHA2560e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66
SHA51292c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774
-
Filesize
391KB
MD52df0ef7c23b82df9df7ea202f6830a4d
SHA1183557ef8fd6d99b554b00237c5a94802bc5ea72
SHA256b2111fb5cdd97d7a8faf1b155682310597f0e301838eb88f403f533ad6b9b13e
SHA512037cf49d93520211c50bc6abf8d3bbde0da286b505cefabfa05198f8c2b62801c8c1ba21d2f3f18424626cd53908e1faa3ba733a02c86cc461019e72d69d9cd4
-
Filesize
93KB
MD5c8a54c077e00ee08720437b3e2eda5c5
SHA1ecc6103eea1f4c14d37cdf6d10bfa43beea65de7
SHA256e74d5e5e54e647c0c9b1ab86e171698c4a00ebc6471316202cd336e875d1fa0d
SHA51299a9a426cf29fdd5f377c99e22aa8a58a32ec6d2d823779ff81ff59b87b8c036afb65e268ac422cab78ef20e85c56dd6b5b783e98e6cf7ccaed3b29327edb881