e588d2be1892ffafe9ac9f9bba7372ef17b96d250224a6527f6127482395e9e0

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 01:21 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09eba7c9b7b59d9062a89ad1d78da1d1.exe
Size

13KB
MD5

09eba7c9b7b59d9062a89ad1d78da1d1
SHA1

6e4bded13a555f1f6f7268391339fdc1cae2b02c
SHA256

e588d2be1892ffafe9ac9f9bba7372ef17b96d250224a6527f6127482395e9e0
SHA512

018272f9e1d907d2bf615cd35993c9b99120a234fe99337ba1069b7fabfcd84bd72623f66c402e1122e7b39b80add98df97c8602b7c6f75d09b75137d1e70f28
SSDEEP

384:ggdcIlAn5Rfkxz6T+Fb66hzQ5swC74w2/t:ggdcN5G56q66ksd74wYt

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2832	ravdthxmon.exe

Loads dropped DLL 2 IoCs

pid	Process
2972	09eba7c9b7b59d9062a89ad1d78da1d1.exe
2972	09eba7c9b7b59d9062a89ad1d78da1d1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ravdthxmon = "C:\\Program Files\\NetMeeting\\ravdthxmon.exe"	ravdthxmon.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\NetMeeting\ravdthxmon.exe	09eba7c9b7b59d9062a89ad1d78da1d1.exe
File opened for modification	C:\Program Files\NetMeeting\ravdthxmon.cfg	09eba7c9b7b59d9062a89ad1d78da1d1.exe
File opened for modification	C:\Program Files\NetMeeting\ravdthxmon.dat	ravdthxmon.exe
File created	C:\Program Files\NetMeeting\ravdthxmon.dat	ravdthxmon.exe
File opened for modification	C:\Program Files\NetMeeting\ravdthxmon.exe	09eba7c9b7b59d9062a89ad1d78da1d1.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2972	09eba7c9b7b59d9062a89ad1d78da1d1.exe
2972	09eba7c9b7b59d9062a89ad1d78da1d1.exe
2832	ravdthxmon.exe
2832	ravdthxmon.exe
2832	ravdthxmon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	ravdthxmon.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2832	2972	09eba7c9b7b59d9062a89ad1d78da1d1.exe	28
PID 2972 wrote to memory of 2832	2972	09eba7c9b7b59d9062a89ad1d78da1d1.exe	28
PID 2972 wrote to memory of 2832	2972	09eba7c9b7b59d9062a89ad1d78da1d1.exe	28
PID 2972 wrote to memory of 2832	2972	09eba7c9b7b59d9062a89ad1d78da1d1.exe	28
PID 2832 wrote to memory of 1248	2832	ravdthxmon.exe	21
PID 2972 wrote to memory of 2656	2972	09eba7c9b7b59d9062a89ad1d78da1d1.exe	29
PID 2972 wrote to memory of 2656	2972	09eba7c9b7b59d9062a89ad1d78da1d1.exe	29
PID 2972 wrote to memory of 2656	2972	09eba7c9b7b59d9062a89ad1d78da1d1.exe	29
PID 2972 wrote to memory of 2656	2972	09eba7c9b7b59d9062a89ad1d78da1d1.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\09eba7c9b7b59d9062a89ad1d78da1d1.exe
  "C:\Users\Admin\AppData\Local\Temp\09eba7c9b7b59d9062a89ad1d78da1d1.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Program Files\NetMeeting\ravdthxmon.exe
    "C:\Program Files\NetMeeting\ravdthxmon.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\09eba7c9b7b59d9062a89ad1d78da1d1.exe"
    3⤵
    - Deletes itself
    PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\NetMeeting\ravdthxmon.exe

Filesize
13KB

MD5
09eba7c9b7b59d9062a89ad1d78da1d1

SHA1
6e4bded13a555f1f6f7268391339fdc1cae2b02c

SHA256
e588d2be1892ffafe9ac9f9bba7372ef17b96d250224a6527f6127482395e9e0

SHA512
018272f9e1d907d2bf615cd35993c9b99120a234fe99337ba1069b7fabfcd84bd72623f66c402e1122e7b39b80add98df97c8602b7c6f75d09b75137d1e70f28

Download Submit
memory/1248-11-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.