Analysis
-
max time kernel
130s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 06:15
Behavioral task
behavioral1
Sample
10d75fc23bd105a98b8d952be81593f0.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
10d75fc23bd105a98b8d952be81593f0.exe
Resource
win10v2004-20231222-en
General
-
Target
10d75fc23bd105a98b8d952be81593f0.exe
-
Size
36KB
-
MD5
10d75fc23bd105a98b8d952be81593f0
-
SHA1
f3ce99466acbc8ad10a0cf61d0a74d8cfd0a9eae
-
SHA256
6b1f25d7df4d7d1b61a558ab8d28612581f67b411f14bd9620449bc04a73445b
-
SHA512
17835ad523c48c00841978cc804f488b19f2234771c58f35c71b45a45083f0016186287a04d63364baa4464829507b5b496f3a4c5dd20c08ac5083ab89aa7d10
-
SSDEEP
768:IkXioTU27ZB/nbcuyD7U5lSFIFhbFPiBHFUgoUn6C+bW:FDU2L/nouy85cYrPiBHFUgJn5+bW
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskfile.exe" reg.exe -
Executes dropped EXE 1 IoCs
pid Process 2912 19A8.tmp -
Loads dropped DLL 2 IoCs
pid Process 2548 10d75fc23bd105a98b8d952be81593f0.exe 2548 10d75fc23bd105a98b8d952be81593f0.exe -
resource yara_rule behavioral1/memory/2548-8-0x0000000000400000-0x0000000000419000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2912 2548 10d75fc23bd105a98b8d952be81593f0.exe 18 PID 2548 wrote to memory of 2912 2548 10d75fc23bd105a98b8d952be81593f0.exe 18 PID 2548 wrote to memory of 2912 2548 10d75fc23bd105a98b8d952be81593f0.exe 18 PID 2548 wrote to memory of 2912 2548 10d75fc23bd105a98b8d952be81593f0.exe 18 PID 2912 wrote to memory of 2296 2912 19A8.tmp 17 PID 2912 wrote to memory of 2296 2912 19A8.tmp 17 PID 2912 wrote to memory of 2296 2912 19A8.tmp 17 PID 2912 wrote to memory of 2296 2912 19A8.tmp 17 PID 2296 wrote to memory of 2668 2296 cmd.exe 14 PID 2296 wrote to memory of 2668 2296 cmd.exe 14 PID 2296 wrote to memory of 2668 2296 cmd.exe 14 PID 2296 wrote to memory of 2668 2296 cmd.exe 14 PID 2296 wrote to memory of 2672 2296 cmd.exe 15 PID 2296 wrote to memory of 2672 2296 cmd.exe 15 PID 2296 wrote to memory of 2672 2296 cmd.exe 15 PID 2296 wrote to memory of 2672 2296 cmd.exe 15
Processes
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d C:\Windows\system32\userinit.exe,C:\Windows\system32\taskfile.exe /f1⤵
- Modifies WinLogon for persistence
PID:2668
-
C:\Windows\SysWOW64\find.exefind /I "0000040d" "C:\svi\003988274\svss.lpd"1⤵PID:2672
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2296
-
C:\Users\Admin\AppData\Local\Temp\19A8.tmpC:\Users\Admin\AppData\Local\Temp\19A8.tmp C:\Users\Admin\AppData\Local\Temp1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912
-
C:\Users\Admin\AppData\Local\Temp\10d75fc23bd105a98b8d952be81593f0.exe"C:\Users\Admin\AppData\Local\Temp\10d75fc23bd105a98b8d952be81593f0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5f28c8b565f8f1501bce77a003c4bf050
SHA19c02a484f8d377bee16e929486b7f462e288ece2
SHA256e56172e61dcf1a701897ce249971916779853b9cf2bdaa85d6e51120df9f4e24
SHA5129785fcde44898a93dab141d8406eda223f864a2474bda0276c0cf5ba580e4f2fa77ae1b423a9df59e09c7b1abfa5f21f788c2b03ca451c26827ce8620ff0eda4