Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28/12/2023, 20:58
Static task
static1
Behavioral task
behavioral1
Sample
f7c31f9bbf574bc22b058cc67ad503f9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
f7c31f9bbf574bc22b058cc67ad503f9.exe
Resource
win10v2004-20231222-en
General
-
Target
f7c31f9bbf574bc22b058cc67ad503f9.exe
-
Size
908KB
-
MD5
f7c31f9bbf574bc22b058cc67ad503f9
-
SHA1
1581e7f3b778303068451d1eaa3e309fdd9d188b
-
SHA256
f619484090ebbe96ee99eac61b5ba76acf3063a114b5ff1d8f1464ef98553adf
-
SHA512
6bacd170f5ac04617df5466677ef13963a7db4c0e5196a3716c789fc4b3cbb0b24c5a4262a52d6836fb30940fcaf419364cc1bcf309c9c9f51bcf79a9f05c366
-
SSDEEP
24576:8/NiRWfP4WOfJ/418E3X4ur1FYM0/5b3MomTlZx:uYUtOfJFE3X4urY5hAoY7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2688 nzy4linWjhqSjOVfKdCq.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\nzy4linWjhqSjOVfKdCq.exe f7c31f9bbf574bc22b058cc67ad503f9.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new f7c31f9bbf574bc22b058cc67ad503f9.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new f7c31f9bbf574bc22b058cc67ad503f9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2568 2688 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2688 3028 f7c31f9bbf574bc22b058cc67ad503f9.exe 28 PID 3028 wrote to memory of 2688 3028 f7c31f9bbf574bc22b058cc67ad503f9.exe 28 PID 3028 wrote to memory of 2688 3028 f7c31f9bbf574bc22b058cc67ad503f9.exe 28 PID 3028 wrote to memory of 2688 3028 f7c31f9bbf574bc22b058cc67ad503f9.exe 28 PID 2688 wrote to memory of 2568 2688 nzy4linWjhqSjOVfKdCq.exe 29 PID 2688 wrote to memory of 2568 2688 nzy4linWjhqSjOVfKdCq.exe 29 PID 2688 wrote to memory of 2568 2688 nzy4linWjhqSjOVfKdCq.exe 29 PID 2688 wrote to memory of 2568 2688 nzy4linWjhqSjOVfKdCq.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7c31f9bbf574bc22b058cc67ad503f9.exe"C:\Users\Admin\AppData\Local\Temp\f7c31f9bbf574bc22b058cc67ad503f9.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\nzy4linWjhqSjOVfKdCq.exe"C:\Windows\nzy4linWjhqSjOVfKdCq.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 5523⤵
- Program crash
PID:2568
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5ffe738fec012a4d42fb4ed93a308bcf2
SHA1dd7ce6830f28f867e615c2c245b03daa26f47aa3
SHA2569451b95d4eedd1970aad2f6d28e52f566b954e23e1c2d2647a3832b31261565d
SHA5128e51aec890aead09276bb511a7cc46aae2d262a0f3553815e5839fb4657d9b67b30f8c6dc65e0304095f45365ed980f12c9ebd5bd0c581630c53a972ebf0f15b