ccfd9b61f6175dfeb96e499278290eebedd86de887eec72962dc35c1a6bac06a

Analysis

max time kernel
1s
max time network
1s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

026f3de8d80e6896ada5db4e69585f25.exe
Size

264KB
MD5

026f3de8d80e6896ada5db4e69585f25
SHA1

8137bedb17f76f896affe243edd59796fc55a43d
SHA256

ccfd9b61f6175dfeb96e499278290eebedd86de887eec72962dc35c1a6bac06a
SHA512

6c078845c58d78f3acd58d30a00481754d9c702bd2ffd40e65d578c767f841f263370fabbba666c747eca2ea9e2ba595b2b06ddcf85390253859f0c8cda4fb11
SSDEEP

3072:tWt+DwmdWQSgdoEtL/i5LLPQZnQ5BdMXIO7HxRq6Cg92LmvzgTKSr817EuqIZdbb:tW8DxWQSg2Etri5LLYAhvO8dxa

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tqat.exe	026f3de8d80e6896ada5db4e69585f25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tqat.exe\Debugger = "ntsd -d"	026f3de8d80e6896ada5db4e69585f25.exe

Loads dropped DLL 1 IoCs

pid	Process
1904	026f3de8d80e6896ada5db4e69585f25.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\WSockDrv32 = "C:\\Windows\\WSockDrv32.exe"	026f3de8d80e6896ada5db4e69585f25.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WSockDrv32.dll	026f3de8d80e6896ada5db4e69585f25.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WSockDrv32.exe	026f3de8d80e6896ada5db4e69585f25.exe
File created	C:\Windows\WSockDrv32.exe	026f3de8d80e6896ada5db4e69585f25.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1904	026f3de8d80e6896ada5db4e69585f25.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1904	026f3de8d80e6896ada5db4e69585f25.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1260	1904	026f3de8d80e6896ada5db4e69585f25.exe	7
PID 1904 wrote to memory of 1260	1904	026f3de8d80e6896ada5db4e69585f25.exe	7

C:\Users\Admin\AppData\Local\Temp\026f3de8d80e6896ada5db4e69585f25.exe
"C:\Users\Admin\AppData\Local\Temp\026f3de8d80e6896ada5db4e69585f25.exe"
1⤵
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\WSockDrv32.dll

Filesize
29KB

MD5
c8f973efb9f173cc3b6bfe447a363fd0

SHA1
efad7846856a373bbd5394a084037cd1584bf483

SHA256
c42e20505cda9178fcb63c1823367f3e7526afb5470323725df8aa5b68abf94e

SHA512
173b02d9eaa6ab708164aa473182a7331d7ad4efac131aa2a238b34e4916898cda6069f9df47e5a9d933b30665de048c7dca369aa44097e416d9c8070aa14074

Download Submit
memory/1260-2-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1904-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1904-12-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download