Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 11:48

General

  • Target

    1bec4d1d2a6049039896ce44b1ebad45.exe

  • Size

    926KB

  • MD5

    1bec4d1d2a6049039896ce44b1ebad45

  • SHA1

    1f33da06e9c1a50d5c9fd623184011b08cc3adf8

  • SHA256

    10bc5ff2aea597c2c37d82af8ad997f3ef08bc067a451e890614618bb44ba707

  • SHA512

    996f6e73b190b52d246273710dabfeab5a61b1a461e1f6e32289ef9ce0098e258dd3b52ef76b53777a3e574690a8b753bb5b4f6a5295a11ccaf0d819e8c9266c

  • SSDEEP

    6144:hvO2ywiiwfg5gAgW8lNiofT8DPl0LIp24ZxRRa7oBi2af/s1soFqheAY1GTPZ9hf:tiiGg5gAgxR00LyQYixnziIPFoA

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 64 IoCs
  • Drops file in System32 directory 4 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bec4d1d2a6049039896ce44b1ebad45.exe
    "C:\Users\Admin\AppData\Local\Temp\1bec4d1d2a6049039896ce44b1ebad45.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\system32\HomeLock64.exe
      C:\Windows\system32\HomeLock64.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2736
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Windows\syswow64\rundll32.exe
      C:\Windows\syswow64\rundll32.exe C:\Windows\syswow64\wxnotify.dll SetFilterEx
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2640
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 284
    1⤵
    • Loads dropped DLL
    • Program crash
    PID:2692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KSafebin\conf\ö..\ksafec.dat

    Filesize

    128B

    MD5

    9b6b6a7ee138068ad2b4305258ce81b3

    SHA1

    cd851436b895dd86fec925e4d373e8dc640af53c

    SHA256

    21e857f7af0e567df0e27f84f07a1a06af9f7f6479f62fc3c8035a00e22de5e9

    SHA512

    6a2d27354a379afec92e6f5fcf3dfc7bf827dedf25f726500c5f94c67c99d598c983b6373c5f0cb976c6a2b0b847e0538583199b216a43f99971c7476ef4af74

  • C:\KSafebin\conf\ö..\ksafer.dat

    Filesize

    2KB

    MD5

    4830ab6f34972970a7d6bfdb5e92e236

    SHA1

    ca69721f231c3b2243657be4d1f74e039035c982

    SHA256

    981887b17eac1309ced7a34116808ad3c15e4ef5523c96f948b1d9a07af7d414

    SHA512

    219b001f5f6944a5295c417315f84218c58798e043b921866e6a729855814f49b897b6f0d97d93e006b9f2bfb6d2f78756b9d05261e28d8e3fe1ddd00586512f

  • C:\KSafebin\conf\ö..\ksafesvc.tat

    Filesize

    373B

    MD5

    15858f6fc5fdca0f2fef6018859f77ed

    SHA1

    467bea8772f9f43c04088cc03472c805ac29ba19

    SHA256

    b73a32be2c2e267ea08bb9b3d24f9d2c782ed0c3da71bb7153efb29df3ca8bdf

    SHA512

    dd2f61cb10bd1f8185c7682c8b144d4b8b5045e11d793fc9014bc3592a182a18c799b22cd121d7c38e947b57d7a013ad1fa9b8314ed1754cf1f993c8244e9326

  • C:\KSafebin\conf\ö..\qmvext.tat

    Filesize

    3KB

    MD5

    59ccdec24b3cefd06c64e787ad6c54e6

    SHA1

    439d1082bc481c8a2b9b2707af02390b980d581d

    SHA256

    c4d027c4dfb864524b77ae72b89f275e50118b9ad33f054cf46e4cb583bc641a

    SHA512

    b2a2c3a41093046e0ac49f180aa65cd5672639a6065af157bbb945dec0d7e8699e78b939832f3d1412995d46b4797e0d13b7c791d6ddc215ca696b2c28e9873f

  • \Windows\SysWOW64\baiimg32.dll

    Filesize

    72KB

    MD5

    64615e68077137db927b4e4e707a050d

    SHA1

    1f349304b0c6c4dcc71d9a0264feec6001390bf0

    SHA256

    17c836194a62e9360215142af9fb7ae63623c2115b9682fa0717b36b3af35d34

    SHA512

    223385ee6c5dbbfb85a402466312ab9a0c9c8b77dd17049d4be7161960d3912d61d4aaa0c371d9661b392eb55b3ead1462f310af2c81515e1f6d28763866e4ec

  • \Windows\SysWOW64\wxnotify.dll

    Filesize

    256KB

    MD5

    47659d0620f0c3240041c7351e29077f

    SHA1

    48139222e01bc1b2b8411cf077c87aa48f90c9f6

    SHA256

    274fb653b33b94bb3f81209a92a040eb50a1f7423bcb69328252b1247b6790fa

    SHA512

    37be9a5bed2f2b57dab7bb42ee3a973181ab1f09ec0efdce4a03b8df220c5980f158134a6b631b03ca1c797d04254ee718ecfcd33954507e0722692a2fade291

  • \Windows\System32\HomeLock64.exe

    Filesize

    57KB

    MD5

    e213b743fa4e8a4487308651051e069e

    SHA1

    b35729a5fab71222f753d4215fc5da1fa5194d25

    SHA256

    6281b013e90b53741f7da32ae77394fa1271a8ba614754ea013591aacedeb072

    SHA512

    195dcf3666ad8419679c250c33f4b0ec91ea534aa6c4c0c10712f8fd4a8002bd1cb5f5b6d1bd87083a4a19d6cb2584e1938ceebbb374f3cacc3aa0d95449d80f

  • \Windows\System32\wxnotify.dll

    Filesize

    346KB

    MD5

    6d6d41c4e142bf58621f5432c73066c4

    SHA1

    9a2093b291a97f5294e2be03d688e83e0d7d1c26

    SHA256

    758eb8a1e77b405859bd5d159cd786a11affa6157ed7ede8651c3de59fa8c7dc

    SHA512

    8d38b2f6e6ee541b6ee821cf44bde39b4fd98398ce8701a6d7566f2edab2d6bbe65e31d9287b928d6b5ff6a5ecbfe3361b6a044f9920a6f7ab54b37326680222

  • memory/1360-35-0x0000000002580000-0x0000000002581000-memory.dmp

    Filesize

    4KB

  • memory/1360-43-0x000007FE7D0F0000-0x000007FE7D0F1000-memory.dmp

    Filesize

    4KB

  • memory/1360-42-0x0000000002580000-0x0000000002581000-memory.dmp

    Filesize

    4KB

  • memory/2640-50-0x00000000002A0000-0x00000000002B3000-memory.dmp

    Filesize

    76KB