Overview

overview

7

Static

static

3

1d7369b89c...2a.exe

windows7-x64

7

1d7369b89c...2a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 21:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d7369b89cb7f8d0822a5193e8f1312a.exe

  • Size

    25KB

  • MD5

    1d7369b89cb7f8d0822a5193e8f1312a

  • SHA1

    c16a65020f3411fb768c853d6a975ee005673a20

  • SHA256

    3ce58199dc4481c972c623f85520c7040d22476a2ec0ed32117e5af7ec6d0d71

  • SHA512

    4f46622eebb061b68a37563dff0d55fe6f61ab780d1e60184f665288c836986c7f399675f13af81f4f187ab5270d33fde3bc87b6c9cf413e12048e498ad5c32f

  • SSDEEP

    768:B6CR40yNqWCOcRPXDUHdxUdNt+4zN4npvjxz4gKLY:B6C+0yQWtkPXDIdqzJ4vzJ

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d7369b89cb7f8d0822a5193e8f1312a.exe
    "C:\Users\Admin\AppData\Local\Temp\1d7369b89cb7f8d0822a5193e8f1312a.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4292
    • C:\Windows\SysWOW64\Net.exe
      Net Stop Norton Antivirus Auto Protect Service
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 Stop Norton Antivirus Auto Protect Service
        3⤵
          PID:2248
      • C:\Windows\SysWOW64\net.exe
        net stop "Security Center"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Security Center"
          3⤵
            PID:3644
        • C:\Windows\SysWOW64\Net.exe
          Net Stop mcshield
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1472
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 Stop mcshield
            3⤵
              PID:1464
          • C:\Windows\SysWOW64\net.exe
            net stop "Windows Firewall/Internet Connection Sharing (ICS)"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3360
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
              3⤵
                PID:3796
            • C:\Windows\SysWOW64\net.exe
              net stop System Restore Service
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4248
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop System Restore Service
                3⤵
                  PID:3888
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                2⤵
                • Checks processor information in registry
                • Enumerates system info in registry
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:5036
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5036 CREDAT:17410 /prefetch:2
                  3⤵
                  • Loads dropped DLL
                  • Drops file in Program Files directory
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3480

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\Common Files\Services\svchost.exe
              Filesize

              25KB

              MD5

              1d7369b89cb7f8d0822a5193e8f1312a

              SHA1

              c16a65020f3411fb768c853d6a975ee005673a20

              SHA256

              3ce58199dc4481c972c623f85520c7040d22476a2ec0ed32117e5af7ec6d0d71

              SHA512

              4f46622eebb061b68a37563dff0d55fe6f61ab780d1e60184f665288c836986c7f399675f13af81f4f187ab5270d33fde3bc87b6c9cf413e12048e498ad5c32f

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver891.tmp
              Filesize

              15KB

              MD5

              1a545d0052b581fbb2ab4c52133846bc

              SHA1

              62f3266a9b9925cd6d98658b92adec673cbe3dd3

              SHA256

              557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

              SHA512

              bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MCZQJD7V\suggestions[1].en-US
              Filesize

              17KB

              MD5

              5a34cb996293fde2cb7a4ac89587393a

              SHA1

              3c96c993500690d1a77873cd62bc639b3a10653f

              SHA256

              c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

              SHA512

              e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MCZQJD7V\z2[1].htm
              Filesize

              803B

              MD5

              130269b3f31854c5d77370e9fb0ca93d

              SHA1

              24a8e6428b13cef776b301a62fa9a91c6448b3e5

              SHA256

              ece5fa02466ddac7c75644b08379608a228017afa3a0a60e3d06e43c7c414047

              SHA512

              5224f41cce2c698c3d41b6bd5916d70072b6c84f654066595b6c36de772b54f121f55f9d66279099742661a5eadb52095f4179576406b4a0c3deaace0b81b137

              Download Submit

            • C:\Windows\SysWOW64\DirectX10.dll
              Filesize

              832KB

              MD5

              c57de030547fbfb2bf2771ccd0c8a506

              SHA1

              949b80ca15de0a78ce9cebb200b9914eaa6c70ff

              SHA256

              065050048db71956afbe83dd7da5be78f2fcd524e7ed5bc24e9ace3d71748d55

              SHA512

              79fb2f69a443a7b623ac188780bef599b1cb6e32ece10d888bf707482c6e0dbc5e2ecbebc92fcae45d0a44cef26700cc3ec477b70087dfac712dba549be34b19

              Download Submit

            • C:\Windows\SysWOW64\DirectX10.dll
              Filesize

              193KB

              MD5

              cea5135c8a6b8dfc3b8c2b757954ea54

              SHA1

              ddd32cd63fa09c4b718d8606f864dfdf3626cc75

              SHA256

              9a1017cdba0f471546d5658fbcdd067e52de879f6f8f6ab1f20ee9ce5cc00273

              SHA512

              01c8304f5aebb8cf6f39d77f6a7dccb06f0eb6b955f206842f513a4a6b31fa17d7cb0d1d083674a0f5bbf074e9f65991ad54de8ae3524c0f59f949a19a6787ee

              Download Submit