Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2023 23:14
Static task
static1
Behavioral task
behavioral1
Sample
ff2be5c3b229cf96e60b39bce28cef5c.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ff2be5c3b229cf96e60b39bce28cef5c.exe
Resource
win10v2004-20231215-en
General
-
Target
ff2be5c3b229cf96e60b39bce28cef5c.exe
-
Size
29KB
-
MD5
ff2be5c3b229cf96e60b39bce28cef5c
-
SHA1
84d44eed116f1f8852e3546e7fd291f8ab7f0a58
-
SHA256
71fd3a87be81c234e60aa4fef6e942209c8478d1e75fa73fa48338c1b4414585
-
SHA512
3adba1b706bc165e20c4273925a60c568991b31156ad6fb1f59ecf54df31e79df65fd89d1346ef7c5dd801d6e79503ef55aef14468c31890460b7cc061828ffd
-
SSDEEP
384:7z/0RPIvpLhgi8G9OgeNK/jYuP3J4V2sidokno7iEMuX/xfTFhpUkjBUy8l3D+:XmP41hgejl3ZdrLel8l3D
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ff2be5c3b229cf96e60b39bce28cef5c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows update loader = "C:\\Windows\\xpupdate.exe" ff2be5c3b229cf96e60b39bce28cef5c.exe -
Drops file in Windows directory 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\xpupdate.exe cmd.exe File opened for modification C:\Windows\xpupdate.exe cmd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ff2be5c3b229cf96e60b39bce28cef5c.exedescription pid process target process PID 2252 wrote to memory of 4484 2252 ff2be5c3b229cf96e60b39bce28cef5c.exe cmd.exe PID 2252 wrote to memory of 4484 2252 ff2be5c3b229cf96e60b39bce28cef5c.exe cmd.exe PID 2252 wrote to memory of 4484 2252 ff2be5c3b229cf96e60b39bce28cef5c.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff2be5c3b229cf96e60b39bce28cef5c.exe"C:\Users\Admin\AppData\Local\Temp\ff2be5c3b229cf96e60b39bce28cef5c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\4.bat2⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\4.batFilesize
123B
MD52978d964c65595931883910436432ad6
SHA178c5aa85e5a6adff75a892475da550f00826ae04
SHA2560b47e1cd60ade806e9c0652bec6db02e9ce76ac8db4dcd8db779ce030252fc2d
SHA512256a7c65195db8b2c531e1ff8c059f2fe3021ec120f9a89b158a0a44db8cd5705c13d9f1568c763dd86b06cdd122aece1f3774a206463dd1a74d1e1c4a439821
-
C:\aFilesize
29KB
MD5ff2be5c3b229cf96e60b39bce28cef5c
SHA184d44eed116f1f8852e3546e7fd291f8ab7f0a58
SHA25671fd3a87be81c234e60aa4fef6e942209c8478d1e75fa73fa48338c1b4414585
SHA5123adba1b706bc165e20c4273925a60c568991b31156ad6fb1f59ecf54df31e79df65fd89d1346ef7c5dd801d6e79503ef55aef14468c31890460b7cc061828ffd
-
memory/2252-0-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2252-4-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2252-3-0x0000000002150000-0x0000000002180000-memory.dmpFilesize
192KB
-
memory/2252-2-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2252-1-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2252-15-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2252-17-0x0000000002150000-0x0000000002180000-memory.dmpFilesize
192KB
-
memory/2252-18-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2252-24-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2252-26-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB