Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 22:37
Static task
static1
Behavioral task
behavioral1
Sample
05d27d3b8ef3f0e6b720b48a4ac95197.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
05d27d3b8ef3f0e6b720b48a4ac95197.exe
Resource
win10v2004-20231215-en
General
-
Target
05d27d3b8ef3f0e6b720b48a4ac95197.exe
-
Size
60KB
-
MD5
05d27d3b8ef3f0e6b720b48a4ac95197
-
SHA1
1cd1bf3183db924a4199329411009ce7d008a4b8
-
SHA256
9a158e093959105e381fe82ace28d4b85a67334395aabb85ad1bf3cd3b2dcf26
-
SHA512
a3d23dc1835cb46cb84cf7b6541da919a1a70b93fb2395404a34a8ee90302c27728ef3bbcd749a879f484e302ecedd350a9afe006ac74212766db94376be4d77
-
SSDEEP
768:dMVOQl0KWwJ917vmdox7CflsQSsgUV9d+6DAOESj6Zz6ZjkfZa8g0FO:iqK9JWdox7C9sQ59d1EOERO
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2756 agetlkeyls.exe -
Loads dropped DLL 2 IoCs
pid Process 2276 05d27d3b8ef3f0e6b720b48a4ac95197.exe 2276 05d27d3b8ef3f0e6b720b48a4ac95197.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\psapi.lib 05d27d3b8ef3f0e6b720b48a4ac95197.exe File created C:\Windows\SysWOW64\agetlkeyls.exe 05d27d3b8ef3f0e6b720b48a4ac95197.exe File opened for modification C:\Windows\SysWOW64\agetlkeyls.exe 05d27d3b8ef3f0e6b720b48a4ac95197.exe File opened for modification C:\Windows\SysWOW64\psapi.lib agetlkeyls.exe File created C:\Windows\SysWOW64\psapi.lib agetlkeyls.exe File opened for modification C:\Windows\SysWOW64\psapi.lib 05d27d3b8ef3f0e6b720b48a4ac95197.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2276 05d27d3b8ef3f0e6b720b48a4ac95197.exe 2276 05d27d3b8ef3f0e6b720b48a4ac95197.exe 2756 agetlkeyls.exe 2756 agetlkeyls.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2756 2276 05d27d3b8ef3f0e6b720b48a4ac95197.exe 28 PID 2276 wrote to memory of 2756 2276 05d27d3b8ef3f0e6b720b48a4ac95197.exe 28 PID 2276 wrote to memory of 2756 2276 05d27d3b8ef3f0e6b720b48a4ac95197.exe 28 PID 2276 wrote to memory of 2756 2276 05d27d3b8ef3f0e6b720b48a4ac95197.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\05d27d3b8ef3f0e6b720b48a4ac95197.exe"C:\Users\Admin\AppData\Local\Temp\05d27d3b8ef3f0e6b720b48a4ac95197.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\agetlkeyls.exe"C:\Windows\system32\agetlkeyls.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5a5b1b1f7c2c51ff400d93ae63f484d96
SHA15f038003bf8851254ba577db5d8dfd69c1085c33
SHA25635b1d2d2bc5c531d49aa3550de5c19bd5f4ebe79c594c6f5000d6de28b2621bf
SHA51290c2145b39611bd1406c513dff16366a51e86e8831c34ab15f650e6620a75533e800db056dda2e7e176fac8b20cd0be76bc1725b45930b31595d4aac00da4eec
-
Filesize
60KB
MD505d27d3b8ef3f0e6b720b48a4ac95197
SHA11cd1bf3183db924a4199329411009ce7d008a4b8
SHA2569a158e093959105e381fe82ace28d4b85a67334395aabb85ad1bf3cd3b2dcf26
SHA512a3d23dc1835cb46cb84cf7b6541da919a1a70b93fb2395404a34a8ee90302c27728ef3bbcd749a879f484e302ecedd350a9afe006ac74212766db94376be4d77