Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-12-2023 22:01
Static task
static1
Behavioral task
behavioral1
Sample
1ddf00dcc6828378acab1a31fb31a2ea.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1ddf00dcc6828378acab1a31fb31a2ea.exe
Resource
win10v2004-20231215-en
General
-
Target
1ddf00dcc6828378acab1a31fb31a2ea.exe
-
Size
69KB
-
MD5
1ddf00dcc6828378acab1a31fb31a2ea
-
SHA1
b88a8f8393829346dd28429852db78f150dcccba
-
SHA256
607f109c9809ae9b16aad3a7cf6181f36b312b1769a9bf1fe107f346be841534
-
SHA512
b6b0fced1b0fcd244c9b298abb1decfd14b101ad6244e653ba5d57eabde63d8b0ef2f3abbd2eac2f80398deae4b55cc7202479e70dc4accdecbdf1c9c9ff2f75
-
SSDEEP
768:5ZLJfaE5A6CO3O1pJiX9iMDwTWGTOcP26PeJLCAnAMiyH39Y3wYo3cfWGwKYf0oe:/JfkE3spGnnRiyH39Y3I3YWjrcck955B
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 3 3020 rundll32.exe 6 2668 rundll32.exe 7 2668 rundll32.exe 8 3020 rundll32.exe 9 2668 rundll32.exe 10 2668 rundll32.exe -
Drops file in Drivers directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 3020 rundll32.exe 2668 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\2283880F-EF87-4aac-8EBD-C9BCC8494AF5_46 = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\2283880F-EF87-4aac-8EBD-C9BCC8494AF5_46.avi\", start" rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
1ddf00dcc6828378acab1a31fb31a2ea.exerundll32.exerundll32.exedescription pid process Token: SeDebugPrivilege 2360 1ddf00dcc6828378acab1a31fb31a2ea.exe Token: SeDebugPrivilege 3020 rundll32.exe Token: SeDebugPrivilege 2668 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
1ddf00dcc6828378acab1a31fb31a2ea.exerundll32.exedescription pid process target process PID 2360 wrote to memory of 3020 2360 1ddf00dcc6828378acab1a31fb31a2ea.exe rundll32.exe PID 2360 wrote to memory of 3020 2360 1ddf00dcc6828378acab1a31fb31a2ea.exe rundll32.exe PID 2360 wrote to memory of 3020 2360 1ddf00dcc6828378acab1a31fb31a2ea.exe rundll32.exe PID 2360 wrote to memory of 3020 2360 1ddf00dcc6828378acab1a31fb31a2ea.exe rundll32.exe PID 2360 wrote to memory of 3020 2360 1ddf00dcc6828378acab1a31fb31a2ea.exe rundll32.exe PID 2360 wrote to memory of 3020 2360 1ddf00dcc6828378acab1a31fb31a2ea.exe rundll32.exe PID 2360 wrote to memory of 3020 2360 1ddf00dcc6828378acab1a31fb31a2ea.exe rundll32.exe PID 3020 wrote to memory of 2668 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2668 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2668 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2668 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2668 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2668 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2668 3020 rundll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ddf00dcc6828378acab1a31fb31a2ea.exe"C:\Users\Admin\AppData\Local\Temp\1ddf00dcc6828378acab1a31fb31a2ea.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\\257390cd-2f50-4ef5-b0d2-23b9ecb3c111\wrk2904.tmp_46", start first worker2⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\\257390cd-2f50-4ef5-b0d2-23b9ecb3c111\wrk41F0.tmp_46", start task worker3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\2283880F-EF87-4aac-8EBD-C9BCC8494AF5_46.aviFilesize
42KB
MD5970bfce7718e50660e6546c132b7e233
SHA1ad6634602392ec214ac0bff7d15a79cdac615e2a
SHA2561a0838a472c60aa87678d92d6179f42c2b948db2305f19109ff53b6b35a80570
SHA512a00c5867aded551d56520f9631b62750fc6182cb946084191c9f99b641f803b42105c0e48712bcc149e89592aea1c91d0665c67ad9e20515eaa52a845423e660
-
\Users\Admin\AppData\Local\Temp\257390cd-2f50-4ef5-b0d2-23b9ecb3c111\wrk2904.tmp_46Filesize
69KB
MD5b510d19d05f6d2bdd6a15a94f7ecec61
SHA1a7f2e2aa328b5f4540b2953c600810742e9bbe6d
SHA2565d1d31c624b1caafb5b8ea28c10aca182ea46802add8cf1a8eb29173c9e9ee9d
SHA512160df35c60166a617885fb6a2c103f8b4ad77ff24f6ef63a789e35dc0b9f48cd014fa7b49bcb9133005e2c0e6bf3ce2aeda7e31a4ef7a0e5d1e3d27f4b591ab2
-
\Users\Admin\AppData\Local\Temp\257390cd-2f50-4ef5-b0d2-23b9ecb3c111\wrk41F0.tmp_46Filesize
26KB
MD54ff8478ae2b0b1379ff9f95fdbf6725f
SHA122f77936905367b57855849bf8ffb96850020b1d
SHA256a8c13c03b135601d4f0c3c542c4adca9124396b1777a36935351c8af96c37697
SHA512f3467232aecfcf4177642766e2a7dd9580753ccbca6ac4416e054b1d8c61cd73c298aad38c57f34a5685ad0ee059b2c8904868da311215d6498954b778f6d415
-
memory/2360-1-0x0000000010000000-0x000000001000B000-memory.dmpFilesize
44KB
-
memory/2360-0-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/2668-23-0x0000000010000000-0x000000001000B000-memory.dmpFilesize
44KB
-
memory/2668-29-0x0000000010000000-0x000000001000B000-memory.dmpFilesize
44KB
-
memory/3020-8-0x0000000010000000-0x000000001000B000-memory.dmpFilesize
44KB
-
memory/3020-15-0x0000000010000000-0x000000001000B000-memory.dmpFilesize
44KB
-
memory/3020-28-0x0000000010000000-0x000000001000B000-memory.dmpFilesize
44KB