Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-12-2023 07:13
Static task
static1
Behavioral task
behavioral1
Sample
11dc92afca9027448f8d31f5d4545c4a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
11dc92afca9027448f8d31f5d4545c4a.exe
Resource
win10v2004-20231215-en
General
-
Target
11dc92afca9027448f8d31f5d4545c4a.exe
-
Size
886KB
-
MD5
11dc92afca9027448f8d31f5d4545c4a
-
SHA1
2542126dfaff8196dfc18a0bb8ec8fe9e3a97aab
-
SHA256
1042f26a971b9bff634f9fcbb36b7668b2c6984b13f98d438c521af1a1d8af10
-
SHA512
c01a8d0b4e27cf93592a14025ba2a3bb9c09abdf12acf74eb4835a86854eeacf3845946b483624fe507cfdfdd905f33b1c7b1e08fb1d4068a441553d93cabeab
-
SSDEEP
24576:zuvYVsT1lnTPopmmyBgCl3T0lVz6odQ6l:KvYkRTE3YcbQq
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 11dc92afca9027448f8d31f5d4545c4a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 11dc92afca9027448f8d31f5d4545c4a.exe -
Loads dropped DLL 7 IoCs
pid Process 2772 WerFault.exe 2772 WerFault.exe 2772 WerFault.exe 2772 WerFault.exe 2772 WerFault.exe 2772 WerFault.exe 2772 WerFault.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 11dc92afca9027448f8d31f5d4545c4a.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 11dc92afca9027448f8d31f5d4545c4a.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1736 set thread context of 2204 1736 11dc92afca9027448f8d31f5d4545c4a.exe 29 -
Program crash 1 IoCs
pid pid_target Process procid_target 2772 2204 WerFault.exe 29 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main 11dc92afca9027448f8d31f5d4545c4a.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2204 11dc92afca9027448f8d31f5d4545c4a.exe 2204 11dc92afca9027448f8d31f5d4545c4a.exe 2204 11dc92afca9027448f8d31f5d4545c4a.exe 2204 11dc92afca9027448f8d31f5d4545c4a.exe 2204 11dc92afca9027448f8d31f5d4545c4a.exe 2204 11dc92afca9027448f8d31f5d4545c4a.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2204 1736 11dc92afca9027448f8d31f5d4545c4a.exe 29 PID 1736 wrote to memory of 2204 1736 11dc92afca9027448f8d31f5d4545c4a.exe 29 PID 1736 wrote to memory of 2204 1736 11dc92afca9027448f8d31f5d4545c4a.exe 29 PID 1736 wrote to memory of 2204 1736 11dc92afca9027448f8d31f5d4545c4a.exe 29 PID 1736 wrote to memory of 2204 1736 11dc92afca9027448f8d31f5d4545c4a.exe 29 PID 1736 wrote to memory of 2204 1736 11dc92afca9027448f8d31f5d4545c4a.exe 29 PID 1736 wrote to memory of 2204 1736 11dc92afca9027448f8d31f5d4545c4a.exe 29 PID 1736 wrote to memory of 2204 1736 11dc92afca9027448f8d31f5d4545c4a.exe 29 PID 1736 wrote to memory of 2204 1736 11dc92afca9027448f8d31f5d4545c4a.exe 29 PID 1736 wrote to memory of 2204 1736 11dc92afca9027448f8d31f5d4545c4a.exe 29 PID 1736 wrote to memory of 2204 1736 11dc92afca9027448f8d31f5d4545c4a.exe 29 PID 2204 wrote to memory of 2772 2204 11dc92afca9027448f8d31f5d4545c4a.exe 31 PID 2204 wrote to memory of 2772 2204 11dc92afca9027448f8d31f5d4545c4a.exe 31 PID 2204 wrote to memory of 2772 2204 11dc92afca9027448f8d31f5d4545c4a.exe 31 PID 2204 wrote to memory of 2772 2204 11dc92afca9027448f8d31f5d4545c4a.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\11dc92afca9027448f8d31f5d4545c4a.exe"C:\Users\Admin\AppData\Local\Temp\11dc92afca9027448f8d31f5d4545c4a.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\11dc92afca9027448f8d31f5d4545c4a.exe"C:\Users\Admin\AppData\Local\Temp\11dc92afca9027448f8d31f5d4545c4a.exe" Track="0001001000"2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 14043⤵
- Loads dropped DLL
- Program crash
PID:2772
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD5335fe160e24222dc4857899061a07ee8
SHA1cc35e11c0552e6f8d50de0f36ec2e1a661bcee31
SHA256173b80f85e84e90eb90a5d4d7bdf470a966f08a4c726cdc02d151485f0d99a04
SHA512aa2772b380acae779d84d385691a2567bdf8dd0deaa9d4c046e3925057df7f235a8a69c662a16ed47d84d139f93781c5dfac9350a93a0513156395d532263164
-
Filesize
2KB
MD53fdc462e066543f55328841cb52783e4
SHA1a5cdaab03a430f7b136225fa7e6e4a2ab2563826
SHA256c796964472b379f7e35a586d7f468cd0ab4e49388d3beb9b525a76c39fe65f38
SHA512d7d9822df82542dad277c25ecb47c4b473512111789a7b1db0cc7c4762c775caf4e3963fb8dad6b6a3f01c1cbcc5fc0beea729fc53990b607f3f6fc3ca219646
-
Filesize
19KB
MD55c303dcf94d6d48082b4ac81866d9a48
SHA12e95397dc206e9e5c22cf6ec171c58cf0215d40e
SHA256d7da9c9447c401e1484bd8ace4924327d1a27020303d1a1bb6cbf0fdb63339d0
SHA51234075651abb3702d71546f640846f234797322e1e746616d3159926fd6e792b2b47eaeb3b513df2ad13f889fb090ff2864dc5dfaea7c158f36e51f192fdbc3ed