Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 20:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
02a5638788e0ab39c4cf822ba35787bc.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
02a5638788e0ab39c4cf822ba35787bc.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
02a5638788e0ab39c4cf822ba35787bc.exe
-
Size
40KB
-
MD5
02a5638788e0ab39c4cf822ba35787bc
-
SHA1
39d7d10908309d1f38592ce04ed23bcf857d6e85
-
SHA256
12e2ec3a7568d46479306a177eb14d991b613a7cb3a9499d80facc6dc8129d2c
-
SHA512
216b63e1334e666bee79af3f753fafb2f40e405750b5435c97a5a70884246abf50be910d396e1f8f6d09c6e18a38e7b212cd44d828b22c900da22fed33a43e43
-
SSDEEP
768:So20WNjWJaMOs13VT8YZTeHS2NOehee2Y/xaBeYwTOKI5dJIle33Gtq1IimOg1ID:F2NlWJaMb3hll24ehee2vh0OKRc30q1f
Score
8/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ActiveX Key exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ActiveX Key\StubPath = "C:\\Windows\\exe.exe" exe.exe -
Deletes itself 1 IoCs
pid Process 2904 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 1336 02A563~1.EXE 2932 exe.exe 856 exe.exe -
Loads dropped DLL 2 IoCs
pid Process 2904 cmd.exe 2904 cmd.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\w32_systm.exe 02a5638788e0ab39c4cf822ba35787bc.exe File created C:\Windows\w32_sysbm.bat 02a5638788e0ab39c4cf822ba35787bc.exe File created C:\Windows\exe.exe 02A563~1.EXE File opened for modification C:\Windows\exe.exe 02A563~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 856 exe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 2904 2960 02a5638788e0ab39c4cf822ba35787bc.exe 29 PID 2960 wrote to memory of 2904 2960 02a5638788e0ab39c4cf822ba35787bc.exe 29 PID 2960 wrote to memory of 2904 2960 02a5638788e0ab39c4cf822ba35787bc.exe 29 PID 2960 wrote to memory of 2904 2960 02a5638788e0ab39c4cf822ba35787bc.exe 29 PID 2904 wrote to memory of 1336 2904 cmd.exe 30 PID 2904 wrote to memory of 1336 2904 cmd.exe 30 PID 2904 wrote to memory of 1336 2904 cmd.exe 30 PID 2904 wrote to memory of 1336 2904 cmd.exe 30 PID 1336 wrote to memory of 2932 1336 02A563~1.EXE 31 PID 1336 wrote to memory of 2932 1336 02A563~1.EXE 31 PID 1336 wrote to memory of 2932 1336 02A563~1.EXE 31 PID 1336 wrote to memory of 2932 1336 02A563~1.EXE 31 PID 2932 wrote to memory of 856 2932 exe.exe 32 PID 2932 wrote to memory of 856 2932 exe.exe 32 PID 2932 wrote to memory of 856 2932 exe.exe 32 PID 2932 wrote to memory of 856 2932 exe.exe 32 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17 PID 856 wrote to memory of 1284 856 exe.exe 17
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\02a5638788e0ab39c4cf822ba35787bc.exe"C:\Users\Admin\AppData\Local\Temp\02a5638788e0ab39c4cf822ba35787bc.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\w32_sysbm.bat" "3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\02A563~1.EXEC:\Users\Admin\AppData\Local\Temp\02A563~1.EXE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\exe.exe"C:\Windows\exe.exe" "C:\Users\Admin\AppData\Local\Temp\02A563~1.EXE"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\exe.exe"C:\Windows\exe.exe" stm6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:856
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
339B
MD5fed0a2750d4a3fd12fff2c53a14cc6ff
SHA14acab81e0dc32586994ae7604260a998a3845120
SHA256fc31bf4679f0dfcda7f4b2a701a68f8880e5d80b63fd66f1883dd4f2e1a4fbe0
SHA51291de1b008aabe03f1b77ef0321484069b08b51bceee9cd8cc6ed7d129bd0d4720658c47dd81d741b17c950c7f17d62f974a0ca33879d654faa6866ff8a0bc68d
-
Filesize
65KB
MD5854586763dd57256c7ae57b61e7022fd
SHA1b044c24c357d1ebe00e9b2d3a8761c20aeb8b406
SHA2566a2deee4e1976105df675fb3dddfe77b37ebdaba59d1e05e9fc6c122b4e58d02
SHA5128e901a948a0ea6f028be7b0b17120e5cac6a89d0b1116216b05ea158015b41192369bd0dddcefa91567dec7e176dcca827aa0b4d42c5711005be7c05a721147a