25a1ed638307b5c361a117048961fffb5533a2925553a2cb44ae61fc5389c23e

Analysis

max time kernel
120s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12DNF小马.exe
Size

18KB
MD5

e076485da1aef93f3621aa6b7c05ba73
SHA1

3653395ed051c2524a057ddd3803a673d4ba722e
SHA256

7af91034be743da9149c18584ffeb71cb0db100a15739f6169a5b29755a25092
SHA512

fdce6b959d1fd8a1e61379b25d57f0b09c67ba274c9634a301fddefe1cc45ec1eb1b6c158afb37ee8c4e5ecbae14c5c59518dad65210807397c2118c214acc86
SSDEEP

384:IkJcqs0mP5C3SyeTfyEdftyVVhxY+uuyhGy1KSYz:lLhopTfyEBaHxY+uuFVz

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral3/files/0x0009000000012252-1.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2152	12DNF小马.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x0009000000012252-1.dat	upx
behavioral3/memory/2152-3-0x0000000010000000-0x0000000010013000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jlfdnf.dll	12DNF小马.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2152	12DNF小马.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2660	2152	12DNF小马.exe	29
PID 2152 wrote to memory of 2660	2152	12DNF小马.exe	29
PID 2152 wrote to memory of 2660	2152	12DNF小马.exe	29
PID 2152 wrote to memory of 2660	2152	12DNF小马.exe	29

C:\Users\Admin\AppData\Local\Temp\12DNF小马.exe
"C:\Users\Admin\AppData\Local\Temp\12DNF小马.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\clear.bat" "
  2⤵
  - Deletes itself
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\clear.bat

Filesize
115B

MD5
3822327d98aaaaa4d2c340d991362630

SHA1
0a52cf6d4604a4a0d55254caa206e0ff4f3b41c0

SHA256
4219f489321d65eea3ccce9a2cf3fe6e9aff3ee20716ea93ac2f17bb0f05410e

SHA512
65160cc603051bb451b8d3ac3f95678127c392ba72bf4fc814323c22ce547d7a91dd692787b9dfb1bd8e34c81555e3a7e63e605db789fe9f71bf64788be55d2d

Download Submit
\Windows\SysWOW64\jlfdnf.dll

Filesize
12KB

MD5
36c52feaff4dde88177946b05c3b3e48

SHA1
344c89eef11c30f2f03b82c58eced636e8c9b586

SHA256
f648e6e33aa80df03a0501f41486fbfe36c362e0a4caf728a87e7a54f4139077

SHA512
a2ec60119922d7567a9707f43fb7c369ad90d38b01444b0d57a0099e2fa494a753278406954289fab8e01b620c3066fd7ef62c376ab7ce17cd9cfd4db12dabf0

Download Submit
memory/2152-3-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download