Analysis
-
max time kernel
147s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 20:24
Static task
static1
Behavioral task
behavioral1
Sample
0303a9ce0eeacb03b316b389b064c382.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0303a9ce0eeacb03b316b389b064c382.exe
Resource
win10v2004-20231215-en
General
-
Target
0303a9ce0eeacb03b316b389b064c382.exe
-
Size
80KB
-
MD5
0303a9ce0eeacb03b316b389b064c382
-
SHA1
09d6ce75f67b76559a8e8b7864aa0a1517c5d739
-
SHA256
98cd401c51c7c3bdd8f5f87d7d646dc37556e49bc430b1d7cafdb62306370d59
-
SHA512
83df8a77a4a306423dc138d12f3f7a5dbb677beccc0718df44bbf868d72e1aaf25feab249b014093d62ddbba456a2dc1f7d1a6c4683d7e1362e7f042937c9bdb
-
SSDEEP
1536:K+OqSAbvzqQrVPLGS3QhXHZtpBQ5XFRfDw3CuJlgxkZ2XSXivZ8:K+OYbeWW7AXFShgxs2Xmix8
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2728 attrib.exe -
Deletes itself 1 IoCs
pid Process 2536 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2696 SystemPro.exe -
Loads dropped DLL 2 IoCs
pid Process 2536 cmd.exe 2536 cmd.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\inf\SystemPro.exe attrib.exe File created C:\Windows\inf\705.5475.bat 0303a9ce0eeacb03b316b389b064c382.exe File created C:\Windows\inf\SystemPro.exe cmd.exe File opened for modification C:\Windows\inf\SystemPro.exe cmd.exe -
Kills process with taskkill 2 IoCs
pid Process 2984 taskkill.exe 2992 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1856 PING.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2984 taskkill.exe Token: SeDebugPrivilege 2992 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1868 0303a9ce0eeacb03b316b389b064c382.exe 2696 SystemPro.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1868 wrote to memory of 2536 1868 0303a9ce0eeacb03b316b389b064c382.exe 29 PID 1868 wrote to memory of 2536 1868 0303a9ce0eeacb03b316b389b064c382.exe 29 PID 1868 wrote to memory of 2536 1868 0303a9ce0eeacb03b316b389b064c382.exe 29 PID 1868 wrote to memory of 2536 1868 0303a9ce0eeacb03b316b389b064c382.exe 29 PID 2536 wrote to memory of 1856 2536 cmd.exe 30 PID 2536 wrote to memory of 1856 2536 cmd.exe 30 PID 2536 wrote to memory of 1856 2536 cmd.exe 30 PID 2536 wrote to memory of 1856 2536 cmd.exe 30 PID 2536 wrote to memory of 2728 2536 cmd.exe 31 PID 2536 wrote to memory of 2728 2536 cmd.exe 31 PID 2536 wrote to memory of 2728 2536 cmd.exe 31 PID 2536 wrote to memory of 2728 2536 cmd.exe 31 PID 2536 wrote to memory of 2696 2536 cmd.exe 32 PID 2536 wrote to memory of 2696 2536 cmd.exe 32 PID 2536 wrote to memory of 2696 2536 cmd.exe 32 PID 2536 wrote to memory of 2696 2536 cmd.exe 32 PID 2696 wrote to memory of 2704 2696 SystemPro.exe 33 PID 2696 wrote to memory of 2704 2696 SystemPro.exe 33 PID 2696 wrote to memory of 2704 2696 SystemPro.exe 33 PID 2696 wrote to memory of 2704 2696 SystemPro.exe 33 PID 2696 wrote to memory of 1324 2696 SystemPro.exe 35 PID 2696 wrote to memory of 1324 2696 SystemPro.exe 35 PID 2696 wrote to memory of 1324 2696 SystemPro.exe 35 PID 2696 wrote to memory of 1324 2696 SystemPro.exe 35 PID 1324 wrote to memory of 2984 1324 cmd.exe 38 PID 1324 wrote to memory of 2984 1324 cmd.exe 38 PID 1324 wrote to memory of 2984 1324 cmd.exe 38 PID 1324 wrote to memory of 2984 1324 cmd.exe 38 PID 2704 wrote to memory of 2992 2704 cmd.exe 37 PID 2704 wrote to memory of 2992 2704 cmd.exe 37 PID 2704 wrote to memory of 2992 2704 cmd.exe 37 PID 2704 wrote to memory of 2992 2704 cmd.exe 37 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2728 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0303a9ce0eeacb03b316b389b064c382.exe"C:\Users\Admin\AppData\Local\Temp\0303a9ce0eeacb03b316b389b064c382.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\inf\705.5475.bat2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\PING.EXEping 127.13⤵
- Runs ping.exe
PID:1856
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\inf\SystemPro.exe"3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2728
-
-
C:\Windows\inf\SystemPro.exe"C:\Windows\inf\SystemPro.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Rstray.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rstray.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im 360tray.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296B
MD5321c605ba7d9b1e060fb1d897306fb7b
SHA19ba714dfc687ebfb43c689a1ef9e1e359f49759f
SHA25649c3bce8c441534695752295f082321afb993581c33d1273ddbd27f996020a2f
SHA512debef5c4ce672b638d010e4759ba7a3ff9cb3fce116510b6288babaec5ca74a63170639e1fcc6ea7a5fa797331c4d65a50cb0c58eae80c759209eefc7f62da16
-
Filesize
80KB
MD50303a9ce0eeacb03b316b389b064c382
SHA109d6ce75f67b76559a8e8b7864aa0a1517c5d739
SHA25698cd401c51c7c3bdd8f5f87d7d646dc37556e49bc430b1d7cafdb62306370d59
SHA51283df8a77a4a306423dc138d12f3f7a5dbb677beccc0718df44bbf868d72e1aaf25feab249b014093d62ddbba456a2dc1f7d1a6c4683d7e1362e7f042937c9bdb