32a2e69906bf41749807cd992b997d09511d4ecf0a730ec4d3ea6f311dfd3ce6

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75332c4bd0226cebbc03b503195fb8fc.exe
Size

484KB
MD5

75332c4bd0226cebbc03b503195fb8fc
SHA1

055c9628988f31ea73c8cccf165bb1af956e4ed8
SHA256

32a2e69906bf41749807cd992b997d09511d4ecf0a730ec4d3ea6f311dfd3ce6
SHA512

6e00e1b25cc07d20ac0e710bfc5d1544adc5bb5649d6799bf36f19b1e9c8b10be686f6e14cf4400142cbcd0c1ba60781e72c84f856acefdfb8039d63c82fdfe1
SSDEEP

6144:ZZiqxGmSF71zKKhT03YZBmodoxaK2lhODHIPi7JgQ9cVDoi5pPp6:LXkmo7zhUYZA5j2uJncDjpPp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2976	strdata.exe
2760	strdata.exe
2280	strdata.exe
2692	strdata.exe

Loads dropped DLL 4 IoCs

pid	Process
1692	75332c4bd0226cebbc03b503195fb8fc.exe
1692	75332c4bd0226cebbc03b503195fb8fc.exe
2976	strdata.exe
2760	strdata.exe

Maps connected drives based on registry 3 TTPs 12 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	strdata.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	strdata.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	75332c4bd0226cebbc03b503195fb8fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	75332c4bd0226cebbc03b503195fb8fc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	75332c4bd0226cebbc03b503195fb8fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	strdata.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	strdata.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	strdata.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	75332c4bd0226cebbc03b503195fb8fc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	75332c4bd0226cebbc03b503195fb8fc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	75332c4bd0226cebbc03b503195fb8fc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	strdata.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\strdata.exe	75332c4bd0226cebbc03b503195fb8fc.exe
File opened for modification	C:\Windows\SysWOW64\strdata.exe	75332c4bd0226cebbc03b503195fb8fc.exe
File created	C:\Windows\SysWOW64\strdata.exe	strdata.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 2064	1976	75332c4bd0226cebbc03b503195fb8fc.exe	29
PID 2064 set thread context of 1692	2064	75332c4bd0226cebbc03b503195fb8fc.exe	30
PID 2976 set thread context of 2760	2976	strdata.exe	32
PID 2760 set thread context of 2280	2760	strdata.exe	33
PID 2280 set thread context of 2692	2280	strdata.exe	34

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1104	75332c4bd0226cebbc03b503195fb8fc.exe
1976	75332c4bd0226cebbc03b503195fb8fc.exe
2064	75332c4bd0226cebbc03b503195fb8fc.exe
2976	strdata.exe
2760	strdata.exe
2280	strdata.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1976	1104	75332c4bd0226cebbc03b503195fb8fc.exe	28
PID 1104 wrote to memory of 1976	1104	75332c4bd0226cebbc03b503195fb8fc.exe	28
PID 1104 wrote to memory of 1976	1104	75332c4bd0226cebbc03b503195fb8fc.exe	28
PID 1104 wrote to memory of 1976	1104	75332c4bd0226cebbc03b503195fb8fc.exe	28
PID 1104 wrote to memory of 1976	1104	75332c4bd0226cebbc03b503195fb8fc.exe	28
PID 1104 wrote to memory of 1976	1104	75332c4bd0226cebbc03b503195fb8fc.exe	28
PID 1104 wrote to memory of 1976	1104	75332c4bd0226cebbc03b503195fb8fc.exe	28
PID 1104 wrote to memory of 1976	1104	75332c4bd0226cebbc03b503195fb8fc.exe	28
PID 1976 wrote to memory of 2064	1976	75332c4bd0226cebbc03b503195fb8fc.exe	29
PID 1976 wrote to memory of 2064	1976	75332c4bd0226cebbc03b503195fb8fc.exe	29
PID 1976 wrote to memory of 2064	1976	75332c4bd0226cebbc03b503195fb8fc.exe	29
PID 1976 wrote to memory of 2064	1976	75332c4bd0226cebbc03b503195fb8fc.exe	29
PID 1976 wrote to memory of 2064	1976	75332c4bd0226cebbc03b503195fb8fc.exe	29
PID 1976 wrote to memory of 2064	1976	75332c4bd0226cebbc03b503195fb8fc.exe	29
PID 1976 wrote to memory of 2064	1976	75332c4bd0226cebbc03b503195fb8fc.exe	29
PID 1976 wrote to memory of 2064	1976	75332c4bd0226cebbc03b503195fb8fc.exe	29
PID 2064 wrote to memory of 1692	2064	75332c4bd0226cebbc03b503195fb8fc.exe	30
PID 2064 wrote to memory of 1692	2064	75332c4bd0226cebbc03b503195fb8fc.exe	30
PID 2064 wrote to memory of 1692	2064	75332c4bd0226cebbc03b503195fb8fc.exe	30
PID 2064 wrote to memory of 1692	2064	75332c4bd0226cebbc03b503195fb8fc.exe	30
PID 2064 wrote to memory of 1692	2064	75332c4bd0226cebbc03b503195fb8fc.exe	30
PID 2064 wrote to memory of 1692	2064	75332c4bd0226cebbc03b503195fb8fc.exe	30
PID 2064 wrote to memory of 1692	2064	75332c4bd0226cebbc03b503195fb8fc.exe	30
PID 2064 wrote to memory of 1692	2064	75332c4bd0226cebbc03b503195fb8fc.exe	30
PID 2064 wrote to memory of 1692	2064	75332c4bd0226cebbc03b503195fb8fc.exe	30
PID 2064 wrote to memory of 1692	2064	75332c4bd0226cebbc03b503195fb8fc.exe	30
PID 1692 wrote to memory of 2976	1692	75332c4bd0226cebbc03b503195fb8fc.exe	31
PID 1692 wrote to memory of 2976	1692	75332c4bd0226cebbc03b503195fb8fc.exe	31
PID 1692 wrote to memory of 2976	1692	75332c4bd0226cebbc03b503195fb8fc.exe	31
PID 1692 wrote to memory of 2976	1692	75332c4bd0226cebbc03b503195fb8fc.exe	31
PID 2976 wrote to memory of 2760	2976	strdata.exe	32
PID 2976 wrote to memory of 2760	2976	strdata.exe	32
PID 2976 wrote to memory of 2760	2976	strdata.exe	32
PID 2976 wrote to memory of 2760	2976	strdata.exe	32
PID 2976 wrote to memory of 2760	2976	strdata.exe	32
PID 2976 wrote to memory of 2760	2976	strdata.exe	32
PID 2976 wrote to memory of 2760	2976	strdata.exe	32
PID 2976 wrote to memory of 2760	2976	strdata.exe	32
PID 2760 wrote to memory of 2280	2760	strdata.exe	33
PID 2760 wrote to memory of 2280	2760	strdata.exe	33
PID 2760 wrote to memory of 2280	2760	strdata.exe	33
PID 2760 wrote to memory of 2280	2760	strdata.exe	33
PID 2760 wrote to memory of 2280	2760	strdata.exe	33
PID 2760 wrote to memory of 2280	2760	strdata.exe	33
PID 2760 wrote to memory of 2280	2760	strdata.exe	33
PID 2760 wrote to memory of 2280	2760	strdata.exe	33
PID 2280 wrote to memory of 2692	2280	strdata.exe	34
PID 2280 wrote to memory of 2692	2280	strdata.exe	34
PID 2280 wrote to memory of 2692	2280	strdata.exe	34
PID 2280 wrote to memory of 2692	2280	strdata.exe	34
PID 2280 wrote to memory of 2692	2280	strdata.exe	34
PID 2280 wrote to memory of 2692	2280	strdata.exe	34
PID 2280 wrote to memory of 2692	2280	strdata.exe	34
PID 2280 wrote to memory of 2692	2280	strdata.exe	34
PID 2280 wrote to memory of 2692	2280	strdata.exe	34
PID 2280 wrote to memory of 2692	2280	strdata.exe	34

C:\Users\Admin\AppData\Local\Temp\75332c4bd0226cebbc03b503195fb8fc.exe
"C:\Users\Admin\AppData\Local\Temp\75332c4bd0226cebbc03b503195fb8fc.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\75332c4bd0226cebbc03b503195fb8fc.exe
  C:\Users\Admin\AppData\Local\Temp\75332c4bd0226cebbc03b503195fb8fc.exe
  2⤵
  - Maps connected drives based on registry
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\75332c4bd0226cebbc03b503195fb8fc.exe
    C:\Users\Admin\AppData\Local\Temp\75332c4bd0226cebbc03b503195fb8fc.exe
    3⤵
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\75332c4bd0226cebbc03b503195fb8fc.exe
      C:\Users\Admin\AppData\Local\Temp\75332c4bd0226cebbc03b503195fb8fc.exe
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\SysWOW64\strdata.exe
        
        C:\Windows\system32\strdata.exe C:\Users\Admin\AppData\Local\Temp\75332c4bd0226cebbc03b503195fb8fc.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\SysWOW64\strdata.exe
        
        C:\Windows\SysWOW64\strdata.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\strdata.exe
        
        C:\Windows\SysWOW64\strdata.exe
        7⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\strdata.exe
        
        C:\Windows\SysWOW64\strdata.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\strdata.exe

Filesize
484KB

MD5
75332c4bd0226cebbc03b503195fb8fc

SHA1
055c9628988f31ea73c8cccf165bb1af956e4ed8

SHA256
32a2e69906bf41749807cd992b997d09511d4ecf0a730ec4d3ea6f311dfd3ce6

SHA512
6e00e1b25cc07d20ac0e710bfc5d1544adc5bb5649d6799bf36f19b1e9c8b10be686f6e14cf4400142cbcd0c1ba60781e72c84f856acefdfb8039d63c82fdfe1

Download Submit
memory/1692-37-0x0000000003140000-0x000000000317D000-memory.dmp

Filesize
244KB

Download
memory/1692-50-0x0000000003140000-0x000000000317D000-memory.dmp

Filesize
244KB

Download
memory/1692-33-0x0000000003140000-0x000000000317D000-memory.dmp

Filesize
244KB

Download
memory/1692-32-0x0000000003140000-0x000000000317D000-memory.dmp

Filesize
244KB

Download
memory/1692-42-0x0000000003140000-0x000000000317D000-memory.dmp

Filesize
244KB

Download
memory/1692-31-0x0000000003140000-0x000000000317D000-memory.dmp

Filesize
244KB

Download
memory/1692-30-0x0000000003140000-0x000000000317D000-memory.dmp

Filesize
244KB

Download
memory/1692-34-0x0000000003140000-0x000000000317D000-memory.dmp

Filesize
244KB

Download
memory/1692-41-0x0000000003140000-0x000000000317D000-memory.dmp

Filesize
244KB

Download
memory/1976-24-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1976-11-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1976-4-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1976-6-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1976-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1976-10-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1976-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2064-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2064-29-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2064-38-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2064-26-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2064-22-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2064-18-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2064-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2280-101-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2692-100-0x0000000003140000-0x000000000317D000-memory.dmp

Filesize
244KB

Download
memory/2760-82-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download