Analysis
-
max time kernel
122s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 22:31
Behavioral task
behavioral1
Sample
1e8617c474f50fca963bb2927e57515b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1e8617c474f50fca963bb2927e57515b.exe
Resource
win10v2004-20231215-en
General
-
Target
1e8617c474f50fca963bb2927e57515b.exe
-
Size
155KB
-
MD5
1e8617c474f50fca963bb2927e57515b
-
SHA1
c1056691820a1d343798d2a2b15a27ac8e7cd6eb
-
SHA256
392e0fb3d1a2f9fa9f0f495c7433508c103d1149061a8f18e2d3c05ab3fdd76d
-
SHA512
4f76236a5bf9bf33ab1d6c07d708a89f9d9ee330f817f838bc0619009bba4c851ae6f5c691ba9f0f205e5b46a5fa36241097f6099075c1d58e0cc81b6367b75c
-
SSDEEP
3072:H+bnHkQocN6sXuUowZIilfPZ8hFeDy4u47hvQJWVnwRSRvzdtDULTf:Ski1/ZbfwF1ChoJo3RxpU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2756 server.exe -
Loads dropped DLL 2 IoCs
pid Process 2688 cmd.exe 2688 cmd.exe -
resource yara_rule behavioral1/memory/2652-0-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/files/0x0031000000015c8d-7.dat upx behavioral1/memory/2652-13-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2756-8-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2688-6-0x0000000000160000-0x00000000001CA000-memory.dmp upx behavioral1/files/0x0031000000015c8d-5.dat upx behavioral1/files/0x0031000000015c8d-4.dat upx behavioral1/files/0x0031000000015c8d-3.dat upx behavioral1/memory/2756-15-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\server.exe 1e8617c474f50fca963bb2927e57515b.exe File opened for modification C:\Windows\SysWOW64\server.exe 1e8617c474f50fca963bb2927e57515b.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\appget.ini 1e8617c474f50fca963bb2927e57515b.exe File created C:\WINDOWS\appgets.ini server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2676 DllHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2652 wrote to memory of 2688 2652 1e8617c474f50fca963bb2927e57515b.exe 16 PID 2652 wrote to memory of 2688 2652 1e8617c474f50fca963bb2927e57515b.exe 16 PID 2652 wrote to memory of 2688 2652 1e8617c474f50fca963bb2927e57515b.exe 16 PID 2652 wrote to memory of 2688 2652 1e8617c474f50fca963bb2927e57515b.exe 16 PID 2688 wrote to memory of 2756 2688 cmd.exe 24 PID 2688 wrote to memory of 2756 2688 cmd.exe 24 PID 2688 wrote to memory of 2756 2688 cmd.exe 24 PID 2688 wrote to memory of 2756 2688 cmd.exe 24
Processes
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\server.exe1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\WINDOWS\SysWOW64\server.exeC:\WINDOWS\system32\server.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\1e8617c474f50fca963bb2927e57515b.exe"C:\Users\Admin\AppData\Local\Temp\1e8617c474f50fca963bb2927e57515b.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2652
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD5817989e967b2fa2c858c7e7881f07ff5
SHA13744dae5e859fc2f5deee06ba466d329b09f7d69
SHA2567b75355584c4641f87d2fd6c3d7d7af13619f5bd468debd86d79053051438564
SHA512c6f462b2f225f7b94d3fabfb8263ce65c8c13af59c931fac4e36b9b329d0ac130f6dbf408b1b0bedd3bc75dcf93addd3d533cf1aed0a4d232971a781c5ebe239
-
Filesize
1KB
MD5cfe9bad16d63c0b1e80fd7faee4dcc31
SHA1fdb5dcfb3ef58f00b336141af96d9d8dd0258235
SHA256a04dd2e65985a73ff2717d7682a0846f552fd18706dde3e4f62802d0f8aecd1e
SHA512bf418fb65a24787b92c3e38445756b88aa1e26d109892606d9f68360889bd1ce85bf49968fa0f3dc3e84c6d7ae21998fd1a9c168c9d4c3059daa2388643ee409
-
Filesize
70KB
MD592c323bec665932c6201909c4a579c4c
SHA170f68557e5772ec9ff0a76038a0ece58765c3405
SHA256cc2a1cf003cc998bf9f330eb8906b124216b9d64be22b88aa726131ef0939582
SHA512ffc7d103888e66aa26eb3d5e49964b3328b0c1193b456c72e49a3bb1915039cc712e2f777f4cac0da92645d690aed8d2cb6f29c455abde8d3c1b7e1c9342e627