Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 12:33
Static task
static1
Behavioral task
behavioral1
Sample
6edb93f13f3e7cc6cd399fec862f0f08.exe
Resource
win7-20231215-en
General
-
Target
6edb93f13f3e7cc6cd399fec862f0f08.exe
-
Size
874KB
-
MD5
6edb93f13f3e7cc6cd399fec862f0f08
-
SHA1
0414d9d771fd3ca75fb93c2fa3e52965305c8462
-
SHA256
209879f885f5b681482ecbe8acb22b3f7dd33517d0670041f13500002cbe84dd
-
SHA512
dc717a1a6c938d040a0209c6cd6f866b2c550968a29d71ca7e6a5b50f02d39557f4b6e7c8dc4bdf80f71100aba25a9aef7b5e1cc2e2fc9e10682e91e528c149c
-
SSDEEP
24576:z+MLKmtvPyHu7h4SSy9pNg4W7HM8ScN+2QHCex:KiKmHyOop7s83QF
Malware Config
Signatures
-
Loads dropped DLL 6 IoCs
pid Process 4192 6edb93f13f3e7cc6cd399fec862f0f08.exe 4192 6edb93f13f3e7cc6cd399fec862f0f08.exe 4192 6edb93f13f3e7cc6cd399fec862f0f08.exe 4192 6edb93f13f3e7cc6cd399fec862f0f08.exe 4192 6edb93f13f3e7cc6cd399fec862f0f08.exe 4192 6edb93f13f3e7cc6cd399fec862f0f08.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6edb93f13f3e7cc6cd399fec862f0f08.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4716 wrote to memory of 4376 4716 6edb93f13f3e7cc6cd399fec862f0f08.exe 66 PID 4716 wrote to memory of 4376 4716 6edb93f13f3e7cc6cd399fec862f0f08.exe 66 PID 4716 wrote to memory of 4376 4716 6edb93f13f3e7cc6cd399fec862f0f08.exe 66 PID 4376 wrote to memory of 4192 4376 6edb93f13f3e7cc6cd399fec862f0f08.exe 67 PID 4376 wrote to memory of 4192 4376 6edb93f13f3e7cc6cd399fec862f0f08.exe 67 PID 4376 wrote to memory of 4192 4376 6edb93f13f3e7cc6cd399fec862f0f08.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\6edb93f13f3e7cc6cd399fec862f0f08.exe"C:\Users\Admin\AppData\Local\Temp\6edb93f13f3e7cc6cd399fec862f0f08.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\6edb93f13f3e7cc6cd399fec862f0f08.exe"C:\Users\Admin\AppData\Local\Temp\6edb93f13f3e7cc6cd399fec862f0f08.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\6edb93f13f3e7cc6cd399fec862f0f08.exe"C:\Users\Admin\AppData\Local\Temp\6edb93f13f3e7cc6cd399fec862f0f08.exe"3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4192
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5ead3382be9221ae28610bd4eb286d068
SHA196bb6649cf46cf9288b5c5696be4d275663e762f
SHA2565abff10011cb55a7ea8bdcd546a8db33f74c3209bb8285ac57bab80be644ea46
SHA5125c2a8a7b505912eba589f50e9a254dd274f8a2bef08dfba4a5faed8d94c47a88437acb1107ceb4c4ced128b84311d3e0475b3a25ad0f1190c55a84644c89e824
-
Filesize
5KB
MD544dac7f87bdf94d553f8d2cf073d605d
SHA121bf5d714b9fcab32ba40ff7d36e48c378b67a06
SHA2560e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66
SHA51292c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774
-
Filesize
494KB
MD5f0c59526f8186eadaf2171b8fd2967c1
SHA18ffbe3e03d8139b50b41931c7b3360a0eebdb5cb
SHA2566e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6
SHA512dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854
-
Filesize
200KB
MD58a808b037b3f57dc186d89306ae0ad7c
SHA1602d960fd82cf69acc17330adafbaad761837301
SHA25618fe6735423cba457c69540141a3928b45365165a35be97ed8fc00043a3b6aaa
SHA51248db4797b2b33ea15a1b356cf778f7edd54b78d24eff02859072a645e7232488cf81b22e71569f0dd232a58859dbc285ba8d383d0600475b6497d6195b3d2a02