Overview

overview

8

Static

static

3

1df5b0197c...c2.exe

windows7-x64

8

1df5b0197c...c2.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1df5b0197c814cf46dcb0415d34e15c2.exe

  • Size

    18KB

  • MD5

    1df5b0197c814cf46dcb0415d34e15c2

  • SHA1

    77901145f27b918b737ec1205ec7ee7c83a261a2

  • SHA256

    aedae916e0aa0da6896dc320c2421bf36eb93c4c2962ebd36a70d08db18fe156

  • SHA512

    f2f91fa944bda210f5afa259582952b2875eeed79a0b485b2dd7c8b364fc06e39376192bb7da5707555237ff2475de585342524cc2db31c6f7596ec5c94d9740

  • SSDEEP

    384:JgwnIQHmLW86qh1sR7G+4hIerXJIX63CCsrp3BEWGXgKmv:h0AG+4uerJIXh/3BGwKa

Score
8/10
persistence

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Suspicious behavior: LoadsDriver
    PID:468
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k RPCSS
      2⤵
        PID:688
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
        2⤵
          PID:824
          • C:\Windows\system32\Dwm.exe
            "C:\Windows\system32\Dwm.exe"
            3⤵
              PID:1228
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs
            2⤵
              PID:864
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalService
              2⤵
                PID:1008
              • C:\Windows\System32\spoolsv.exe
                C:\Windows\System32\spoolsv.exe
                2⤵
                  PID:364
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                  2⤵
                    PID:1052
                  • C:\Windows\system32\taskhost.exe
                    "taskhost.exe"
                    2⤵
                      PID:1136
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k NetworkService
                      2⤵
                        PID:332
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                        2⤵
                          PID:752
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k DcomLaunch
                          2⤵
                            PID:608
                          • C:\Windows\system32\sppsvc.exe
                            C:\Windows\system32\sppsvc.exe
                            2⤵
                              PID:2320
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                              2⤵
                                PID:2160
                            • C:\Windows\system32\winlogon.exe
                              winlogon.exe
                              1⤵
                                PID:424
                              • C:\Windows\system32\csrss.exe
                                %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                1⤵
                                  PID:388
                                • C:\Windows\system32\wininit.exe
                                  wininit.exe
                                  1⤵
                                    PID:372
                                    • C:\Windows\system32\lsass.exe
                                      C:\Windows\system32\lsass.exe
                                      2⤵
                                        PID:484
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:492
                                      • C:\Windows\system32\csrss.exe
                                        %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                        1⤵
                                          PID:336
                                        • C:\Windows\System32\smss.exe
                                          \SystemRoot\System32\smss.exe
                                          1⤵
                                            PID:260
                                          • C:\Windows\Explorer.EXE
                                            C:\Windows\Explorer.EXE
                                            1⤵
                                              PID:1264
                                              • C:\Users\Admin\AppData\Local\Temp\1df5b0197c814cf46dcb0415d34e15c2.exe
                                                "C:\Users\Admin\AppData\Local\Temp\1df5b0197c814cf46dcb0415d34e15c2.exe"
                                                2⤵
                                                • Drops file in Drivers directory
                                                • Loads dropped DLL
                                                • Drops file in System32 directory
                                                • Drops file in Windows directory
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:1216
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1df5b0197c814cf46dcb0415d34e15c2.exe"
                                                  3⤵
                                                  • Deletes itself
                                                  PID:2636
                                            • C:\Windows\system32\DllHost.exe
                                              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                              1⤵
                                                PID:1792

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Windows\SysWOW64\msosmnsf00.dll
                                                Filesize

                                                12KB

                                                MD5

                                                4ebdaf83ef6e530fd5772886d166dbea

                                                SHA1

                                                98ad11eaf2111b58abe16bc07b60a48c28b12c2c

                                                SHA256

                                                34020ea364d08557b31e09a0c1a49b94fd867180b0224f335f3118f6c3c92a98

                                                SHA512

                                                35977f0537b574a95ad32391a59aa1bc94f258c79ef1e8960483fe0beabc22d4c8f651b6ce5f6641f7c8f0344c7ae2fc1ced3f520fd773abfc21b912a4caf34f

                                                Download Submit

                                              • memory/260-9-0x0000000000110000-0x0000000000111000-memory.dmp

                                                Filesize

                                                4KB

                                                Download

                                              • memory/484-31-0x0000000000190000-0x0000000000191000-memory.dmp

                                                Filesize

                                                4KB

                                                Download

                                              • memory/1216-10-0x0000000010000000-0x0000000010029000-memory.dmp

                                                Filesize

                                                164KB

                                                Download

                                              • memory/1216-86-0x0000000010000000-0x0000000010029000-memory.dmp

                                                Filesize

                                                164KB

                                                Download