Overview

overview

10

Static

static

3

024cde85d1...ad.exe

windows7-x64

7

024cde85d1...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2023 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    024cde85d1a11c1b2e6749ec80b50fad.exe

  • Size

    2.8MB

  • MD5

    024cde85d1a11c1b2e6749ec80b50fad

  • SHA1

    5f7226f27b0106f6050ce61d78e9c0fc8cfb8373

  • SHA256

    db5d4a5090c7303616f88db08a22abc975804ae1abdef9740c208c004648255b

  • SHA512

    5016d4eb26602300e49365186ce768026ac73927f41773883a6fc43376b622bc76a2d72d675cfa29224540cf82f8291a9ed03b0d5b762678d30b29f963ee7ccc

  • SSDEEP

    49152:KynUHNR9PKXUm1WHyilGSvn/5Kaq1rO5n8UXRaa/B03ak8JqFJ7BHKQk6j:KyUHNjSXUmIHy8Zv/Uaq1yJqak8JqbFR

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\024cde85d1a11c1b2e6749ec80b50fad.exe
    "C:\Users\Admin\AppData\Local\Temp\024cde85d1a11c1b2e6749ec80b50fad.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C start /min C:\Windows\system32\cmd.exe /C bitsfx.txt -p123
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2372
  • C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v "Microsoft InstallShield" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\InstallShield\Desktop.exe" /f
    1⤵
      PID:2612
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v "Microsoft InstallShield" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\InstallShield\Desktop.exe" /f
      1⤵
        PID:2824
      • C:\Windows\SysWOW64\xcopy.exe
        xcopy "bit.txt" "C:\Users\Admin\AppData\Roaming\Microsoft\InstallShield\Desktop.exe*" /Y
        1⤵
          PID:2800
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C start /min C:\Windows\system32\cmd.exe /C REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v "Microsoft InstallShield" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\InstallShield\Desktop.exe" /f
          1⤵
            PID:2852
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /C xcopy "bit.txt" "C:\Users\Admin\AppData\Roaming\Microsoft\InstallShield\Desktop.exe*" /Y
            1⤵
              PID:3060
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C start /min C:\Windows\system32\cmd.exe /C xcopy "bit.txt" "C:\Users\Admin\AppData\Roaming\Microsoft\InstallShield\Desktop.exe*" /Y
              1⤵
                PID:2760
              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bitsfx.txt
                bitsfx.txt -p123
                1⤵
                • Executes dropped EXE
                PID:2780
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /C bitsfx.txt -p123
                1⤵
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:2668

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/2780-11-0x00000000011A0000-0x00000000011A1000-memory.dmp

                Filesize

                4KB

                Download