976b70795d34332b6aafcf4b259049dca721b512b289f4eb5be50cfe1f45cc09

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 19:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

01ade46a97396086a7ce742a14f1ecfd.exe
Size

16KB
MD5

01ade46a97396086a7ce742a14f1ecfd
SHA1

71e65bca782c3f512e3a765f9ef4bf786e6ccbc3
SHA256

976b70795d34332b6aafcf4b259049dca721b512b289f4eb5be50cfe1f45cc09
SHA512

a8209a371f85af5479ebc5d72c5ef6368e126587c29bd30e73ff630dd1a425646ecb2511d16bc1a07f80bbf851052779aed3ca73d1be6aee02688ad6899bd453
SSDEEP

384:mhW/WzLiGOuwLR8JIEgh5xMvkDRyiyxI97zqp52BsahC:FhLRZxMvARyVI97+p52uYC

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\39529C04\ImagePath = "C:\\Windows\\system32\\ED248A00.EXE -d"	01ade46a97396086a7ce742a14f1ecfd.exe

Deletes itself 1 IoCs

pid	Process
1756	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2276	ED248A00.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ED248A00.EXE	01ade46a97396086a7ce742a14f1ecfd.exe
File opened for modification	C:\Windows\SysWOW64\ED248A00.EXE	01ade46a97396086a7ce742a14f1ecfd.exe
File created	C:\Windows\SysWOW64\ED248A00.EXE	ED248A00.EXE
File created	C:\Windows\SysWOW64\E694EAFC.DLL	ED248A00.EXE
File created	C:\Windows\SysWOW64\del.bat	01ade46a97396086a7ce742a14f1ecfd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3016	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2836	01ade46a97396086a7ce742a14f1ecfd.exe
2276	ED248A00.EXE
2276	ED248A00.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 1756	2836	01ade46a97396086a7ce742a14f1ecfd.exe	31
PID 2836 wrote to memory of 1756	2836	01ade46a97396086a7ce742a14f1ecfd.exe	31
PID 2836 wrote to memory of 1756	2836	01ade46a97396086a7ce742a14f1ecfd.exe	31
PID 2836 wrote to memory of 1756	2836	01ade46a97396086a7ce742a14f1ecfd.exe	31
PID 1756 wrote to memory of 3016	1756	cmd.exe	30
PID 1756 wrote to memory of 3016	1756	cmd.exe	30
PID 1756 wrote to memory of 3016	1756	cmd.exe	30
PID 1756 wrote to memory of 3016	1756	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\01ade46a97396086a7ce742a14f1ecfd.exe
"C:\Users\Admin\AppData\Local\Temp\01ade46a97396086a7ce742a14f1ecfd.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\del.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1756

C:\Windows\SysWOW64\ED248A00.EXE
C:\Windows\SysWOW64\ED248A00.EXE -d
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2276

C:\Windows\SysWOW64\PING.EXE
ping n 1 127.0.0.1
1⤵
- Runs ping.exe
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ED248A00.EXE

Filesize
16KB

MD5
01ade46a97396086a7ce742a14f1ecfd

SHA1
71e65bca782c3f512e3a765f9ef4bf786e6ccbc3

SHA256
976b70795d34332b6aafcf4b259049dca721b512b289f4eb5be50cfe1f45cc09

SHA512
a8209a371f85af5479ebc5d72c5ef6368e126587c29bd30e73ff630dd1a425646ecb2511d16bc1a07f80bbf851052779aed3ca73d1be6aee02688ad6899bd453

Download Submit
C:\Windows\SysWOW64\del.bat

Filesize
237B

MD5
cd0e054f92f921666f92d008f5320491

SHA1
e72f943833537a7d47d2a680dc12d9814de5d325

SHA256
f6c1209fbb5bf709dca9bcb11527e245b499d96f877ac391b38eeb65c72dfad4

SHA512
df2a6db815781568ccc4522fb5f904848ae72c3140a30fa32c107fcfb4860f48123a36b6bf40038f4b0f10b8fbc9013db0ff462db5de0e189fa962941392c4fa

Download Submit
memory/2276-7-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2276-5-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2276-17-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2836-1-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2836-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2836-15-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download