Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 21:44
Static task
static1
Behavioral task
behavioral1
Sample
04befedbe76440e1e24e59ff4244ce6a.exe
Resource
win7-20231129-en
General
-
Target
04befedbe76440e1e24e59ff4244ce6a.exe
-
Size
8.9MB
-
MD5
04befedbe76440e1e24e59ff4244ce6a
-
SHA1
a8a2d779abb35bf23ba21575af1e95a2ecd17265
-
SHA256
bd8d1264a88d5cdd701a4ee909b70beaec39d216c988b33bfb30f25aee3540ee
-
SHA512
fa52f5bf9327ba9aade2cf8cc115b824761f45fe195079ec5738f71258e4cac8b1b33b3fba3954aef7aef92c44de47f249d3109f56f798f5ad7be49d9d37f0f2
-
SSDEEP
196608:YwX6s+9/A4IlpYpvG2OF+n4XRg2SS20yfdVJMjOK:YwX6s+9boYAhbgAy1vMKK
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
SmartCleanup.exepid process 1628 SmartCleanup.exe -
Loads dropped DLL 3 IoCs
Processes:
04befedbe76440e1e24e59ff4244ce6a.exeSmartCleanup.exepid process 3020 04befedbe76440e1e24e59ff4244ce6a.exe 3020 04befedbe76440e1e24e59ff4244ce6a.exe 1628 SmartCleanup.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
04befedbe76440e1e24e59ff4244ce6a.exedescription pid process target process PID 3020 wrote to memory of 1628 3020 04befedbe76440e1e24e59ff4244ce6a.exe SmartCleanup.exe PID 3020 wrote to memory of 1628 3020 04befedbe76440e1e24e59ff4244ce6a.exe SmartCleanup.exe PID 3020 wrote to memory of 1628 3020 04befedbe76440e1e24e59ff4244ce6a.exe SmartCleanup.exe PID 3020 wrote to memory of 1628 3020 04befedbe76440e1e24e59ff4244ce6a.exe SmartCleanup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe"C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe"C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1628-557-0x0000000000400000-0x0000000000A0F000-memory.dmpFilesize
6.1MB
-
memory/3020-0-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/3020-554-0x0000000004090000-0x000000000469F000-memory.dmpFilesize
6.1MB
-
memory/3020-548-0x0000000002930000-0x0000000002940000-memory.dmpFilesize
64KB
-
memory/3020-559-0x0000000000400000-0x0000000000701000-memory.dmpFilesize
3.0MB