Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 21:44
Static task
static1
Behavioral task
behavioral1
Sample
04befedbe76440e1e24e59ff4244ce6a.exe
Resource
win7-20231129-en
windows7-x64
5 signatures
150 seconds
General
-
Target
04befedbe76440e1e24e59ff4244ce6a.exe
-
Size
8.9MB
-
MD5
04befedbe76440e1e24e59ff4244ce6a
-
SHA1
a8a2d779abb35bf23ba21575af1e95a2ecd17265
-
SHA256
bd8d1264a88d5cdd701a4ee909b70beaec39d216c988b33bfb30f25aee3540ee
-
SHA512
fa52f5bf9327ba9aade2cf8cc115b824761f45fe195079ec5738f71258e4cac8b1b33b3fba3954aef7aef92c44de47f249d3109f56f798f5ad7be49d9d37f0f2
-
SSDEEP
196608:YwX6s+9/A4IlpYpvG2OF+n4XRg2SS20yfdVJMjOK:YwX6s+9boYAhbgAy1vMKK
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1628 SmartCleanup.exe -
Loads dropped DLL 3 IoCs
pid Process 3020 04befedbe76440e1e24e59ff4244ce6a.exe 3020 04befedbe76440e1e24e59ff4244ce6a.exe 1628 SmartCleanup.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3020 wrote to memory of 1628 3020 04befedbe76440e1e24e59ff4244ce6a.exe 28 PID 3020 wrote to memory of 1628 3020 04befedbe76440e1e24e59ff4244ce6a.exe 28 PID 3020 wrote to memory of 1628 3020 04befedbe76440e1e24e59ff4244ce6a.exe 28 PID 3020 wrote to memory of 1628 3020 04befedbe76440e1e24e59ff4244ce6a.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe"C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe"C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628
-