Analysis
-
max time kernel
1s -
max time network
1s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 19:58
Static task
static1
Behavioral task
behavioral1
Sample
026f3de8d80e6896ada5db4e69585f25.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
026f3de8d80e6896ada5db4e69585f25.exe
Resource
win10v2004-20231222-en
General
-
Target
026f3de8d80e6896ada5db4e69585f25.exe
-
Size
264KB
-
MD5
026f3de8d80e6896ada5db4e69585f25
-
SHA1
8137bedb17f76f896affe243edd59796fc55a43d
-
SHA256
ccfd9b61f6175dfeb96e499278290eebedd86de887eec72962dc35c1a6bac06a
-
SHA512
6c078845c58d78f3acd58d30a00481754d9c702bd2ffd40e65d578c767f841f263370fabbba666c747eca2ea9e2ba595b2b06ddcf85390253859f0c8cda4fb11
-
SSDEEP
3072:tWt+DwmdWQSgdoEtL/i5LLPQZnQ5BdMXIO7HxRq6Cg92LmvzgTKSr817EuqIZdbb:tW8DxWQSg2Etri5LLYAhvO8dxa
Malware Config
Signatures
-
Sets file execution options in registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tqat.exe 026f3de8d80e6896ada5db4e69585f25.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tqat.exe\Debugger = "ntsd -d" 026f3de8d80e6896ada5db4e69585f25.exe -
Loads dropped DLL 1 IoCs
pid Process 1904 026f3de8d80e6896ada5db4e69585f25.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\WSockDrv32 = "C:\\Windows\\WSockDrv32.exe" 026f3de8d80e6896ada5db4e69585f25.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\WSockDrv32.dll 026f3de8d80e6896ada5db4e69585f25.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\WSockDrv32.exe 026f3de8d80e6896ada5db4e69585f25.exe File created C:\Windows\WSockDrv32.exe 026f3de8d80e6896ada5db4e69585f25.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1904 026f3de8d80e6896ada5db4e69585f25.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1904 026f3de8d80e6896ada5db4e69585f25.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1904 wrote to memory of 1260 1904 026f3de8d80e6896ada5db4e69585f25.exe 7 PID 1904 wrote to memory of 1260 1904 026f3de8d80e6896ada5db4e69585f25.exe 7
Processes
-
C:\Users\Admin\AppData\Local\Temp\026f3de8d80e6896ada5db4e69585f25.exe"C:\Users\Admin\AppData\Local\Temp\026f3de8d80e6896ada5db4e69585f25.exe"1⤵
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5c8f973efb9f173cc3b6bfe447a363fd0
SHA1efad7846856a373bbd5394a084037cd1584bf483
SHA256c42e20505cda9178fcb63c1823367f3e7526afb5470323725df8aa5b68abf94e
SHA512173b02d9eaa6ab708164aa473182a7331d7ad4efac131aa2a238b34e4916898cda6069f9df47e5a9d933b30665de048c7dca369aa44097e416d9c8070aa14074