Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 20:53
Behavioral task
behavioral1
Sample
03b57d524ee4f6c57e6acea379e9dee1.exe
Resource
win7-20231129-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
03b57d524ee4f6c57e6acea379e9dee1.exe
Resource
win10v2004-20231215-en
2 signatures
150 seconds
General
-
Target
03b57d524ee4f6c57e6acea379e9dee1.exe
-
Size
7KB
-
MD5
03b57d524ee4f6c57e6acea379e9dee1
-
SHA1
e687688f40ca520125d40e20e9995fe0bbf82b6a
-
SHA256
5242e38434f3e5b05e838946abd72fe883ed534d44c013eb1b8123a0717e5274
-
SHA512
bf805d945cbebf35fa1b6a84fddbfb32199b79178164475a6c70f29488f16d529f0f85b09d048ec9b430aeecfd08ea628811b83bfca542e684f932ae54ffb4fb
-
SSDEEP
96:l73kw4RZpXD7LmS4Xrc3je3cZzrRHiSkZRP1W4mVQVBGhG3IsnKc9:lTqRZN/LJWYTA1zREQ37L
Score
8/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run 03b57d524ee4f6c57e6acea379e9dee1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\QuickTimeTask = "C:\\Users\\Admin\\AppData\\Local\\Temp\\03b57d524ee4f6c57e6acea379e9dee1.exe" 03b57d524ee4f6c57e6acea379e9dee1.exe -
resource yara_rule behavioral1/memory/2892-0-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2892-1-0x0000000000400000-0x0000000000409000-memory.dmp upx -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2996 2892 03b57d524ee4f6c57e6acea379e9dee1.exe 24 PID 2892 wrote to memory of 2996 2892 03b57d524ee4f6c57e6acea379e9dee1.exe 24 PID 2892 wrote to memory of 2996 2892 03b57d524ee4f6c57e6acea379e9dee1.exe 24 PID 2892 wrote to memory of 2996 2892 03b57d524ee4f6c57e6acea379e9dee1.exe 24
Processes
-
C:\Users\Admin\AppData\Local\Temp\03b57d524ee4f6c57e6acea379e9dee1.exe"C:\Users\Admin\AppData\Local\Temp\03b57d524ee4f6c57e6acea379e9dee1.exe"1⤵
- Adds policy Run key to start application
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\ctfmon.exectfmon.exe2⤵PID:2996
-