Overview

overview

8

Static

static

3

70dd434be5...ac.exe

windows7-x64

8

70dd434be5...ac.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 13:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    70dd434be5cb50e67561ec347b055bac.exe

  • Size

    17KB

  • MD5

    70dd434be5cb50e67561ec347b055bac

  • SHA1

    bc94462a754657d746612da3d50b1e5f4e9ad141

  • SHA256

    c26f535bd924d0fd25f7e3df5757c9b0840eae22ee7584713ac60ad8c6c742d0

  • SHA512

    781eb152b461b3efd050c1b547a67ec48445f30e64f09ec623b46918a74e764aae8181c8d0f903ab71a2955d24b436ad3e219fd09c26e7844f58c780cfc3f274

  • SSDEEP

    384:1vj7yr5EbfBJoWfGzHpKZPve8BTaFsZ9GzDU1LPKQYtB5otCJBqcJk7Tb:1vKrCJsDpM+8Bez4tKXtLo0JBwb

Score
8/10
persistence

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70dd434be5cb50e67561ec347b055bac.exe
    "C:\Users\Admin\AppData\Local\Temp\70dd434be5cb50e67561ec347b055bac.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\SysWOW64\System.exe
      C:\Windows\system32\System.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      PID:2544
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\SelfDel.bat" "
      2⤵
      • Deletes itself
      PID:2816

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\SelfDel.bat
          Filesize

          279B

          MD5

          e750a743831c693e91c3e53d2793f419

          SHA1

          39497767dbbb1a6805a3311596194d6dd7a5aac9

          SHA256

          337218a056ddb58751bdfd0ea6054ff8b6eb606b2b2852012faa99ae48e35696

          SHA512

          f919e250974f813403143d43ef134a793b2d801cad3efe20254233cafaa8a78c4ee690cde2374249ee41d662b688777e453c1c21c98948b528fab54e529111ab

          Download Submit

        • C:\Windows\SysWOW64\HBmhly.dll
          Filesize

          19KB

          MD5

          a42dc2393abbd47aa136385b3aa42402

          SHA1

          25037916c729062508961fa1cc90aa0e7407f67a

          SHA256

          9c3ce7ea3d510de6ff1770524a9435704cd89e8680b33ddb33efc6770dae6826

          SHA512

          fc4e274067d8f9274857974bdf24823197c912ea245a95f5fdd3c48e9431aab8caaf41f03987afb598c24ef576d4dba794d6b8e743812bfa57a339b1b340cee7

          Download Submit

        • \Windows\SysWOW64\System.exe
          Filesize

          7KB

          MD5

          096e6a86a635001ece2c8ad5533fe66f

          SHA1

          3ae8b2fcb5207151ac6fb2675e959492b071534c

          SHA256

          bf0ba6a4aa05ee550f6d8d1c12c8ed994718fe8616b64365b489e6b7a56c548c

          SHA512

          268f397fc1c64999fdbc988ff5d1ae8fa923f8eb1b6cd5528e61d00b2bda71da7ad5ae0c35a336d7883b5ba47ce99097586a39e18e7de45d0f1c0cde3293930a

          Download Submit