3ab89ff5e59b86df3eae7a5f930d186a5a53f663d8f2b3aa3bb2b118bead1b38

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 10:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1543e9d0c25bc7c9aa047c55d5c3b13e.exe
Size

35KB
MD5

1543e9d0c25bc7c9aa047c55d5c3b13e
SHA1

29bd8c7f1bfd351f624cb0a7791232c5a21bec5c
SHA256

3ab89ff5e59b86df3eae7a5f930d186a5a53f663d8f2b3aa3bb2b118bead1b38
SHA512

78a974cc61e820e39b18bd8aaa3536cb15e966a83ee955bbddddc7877dbc1d0068e083bb8cf58f33f0549829d92c1224fc4ec1cdf31e50f9cf22cef5ef880cc4
SSDEEP

768:+z3sv8TouIoGb7rmWCd4q+SytrEqvSVhxOha5V:+Qv8Tel3r3yxBytreVCE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2056	$$$ms.gif .exe
3032	NTdhcp.exe

Loads dropped DLL 4 IoCs

pid	Process
2336	1543e9d0c25bc7c9aa047c55d5c3b13e.exe
2336	1543e9d0c25bc7c9aa047c55d5c3b13e.exe
2056	$$$ms.gif .exe
2056	$$$ms.gif .exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NTdhcp.exe	$$$ms.gif .exe
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	$$$ms.gif .exe
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	NTdhcp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Deleteme.bat	$$$ms.gif .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2336	1543e9d0c25bc7c9aa047c55d5c3b13e.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2056	2336	1543e9d0c25bc7c9aa047c55d5c3b13e.exe	28
PID 2336 wrote to memory of 2056	2336	1543e9d0c25bc7c9aa047c55d5c3b13e.exe	28
PID 2336 wrote to memory of 2056	2336	1543e9d0c25bc7c9aa047c55d5c3b13e.exe	28
PID 2336 wrote to memory of 2056	2336	1543e9d0c25bc7c9aa047c55d5c3b13e.exe	28
PID 2056 wrote to memory of 3032	2056	$$$ms.gif .exe	29
PID 2056 wrote to memory of 3032	2056	$$$ms.gif .exe	29
PID 2056 wrote to memory of 3032	2056	$$$ms.gif .exe	29
PID 2056 wrote to memory of 3032	2056	$$$ms.gif .exe	29
PID 2056 wrote to memory of 2888	2056	$$$ms.gif .exe	30
PID 2056 wrote to memory of 2888	2056	$$$ms.gif .exe	30
PID 2056 wrote to memory of 2888	2056	$$$ms.gif .exe	30
PID 2056 wrote to memory of 2888	2056	$$$ms.gif .exe	30

C:\Users\Admin\AppData\Local\Temp\1543e9d0c25bc7c9aa047c55d5c3b13e.exe
"C:\Users\Admin\AppData\Local\Temp\1543e9d0c25bc7c9aa047c55d5c3b13e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\temp\$$$ms.gif .exe
  "C:\Windows\temp\$$$ms.gif .exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\NTdhcp.exe
    C:\Windows\system32\NTdhcp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\Deleteme.bat
    3⤵
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Deleteme.bat

Filesize
182B

MD5
38dbeb41c8c5158c8a7354e52e7180ef

SHA1
40586fbf925264185ae2915fa6be4ce826510622

SHA256
0ef158fcd5b1a8bcb12cff4d5db948665991fa3b559b1087ad03ae9ac8d29fb8

SHA512
b65a230f4c7952632bc80dae5c609e1aa195982d0cea21e6b4cb91c04cd32c8a32eeea1c3537f47c2a7e383b61dd090ce55e1df58503d5e566e89033215e1169

Download Submit
C:\Windows\Temp\$$$ms.gif .exe

Filesize
27KB

MD5
6bc22ba8f49e8e9662b7fe3d8686d2e5

SHA1
40a247ef1b36fbf3dc0b7df29904d63f58b35463

SHA256
9827cf0173404e1fac888dcc57e3af6568d9a73e8f95c6c8ed1ef07b6553788c

SHA512
ce561fccdf898183924509f0d703f0fde59f975e8d8708dfd55cbd06ea447570174695fbfa773328cc2bfd4f2537fb6f3bc937acfb1ce1d72567b25827a2a2ad

Download Submit
memory/2056-15-0x0000000000400000-0x000000000041C200-memory.dmp

Filesize
112KB

Download
memory/2056-22-0x00000000001B0000-0x00000000001CD000-memory.dmp

Filesize
116KB

Download
memory/2056-29-0x00000000001B0000-0x00000000001CD000-memory.dmp

Filesize
116KB

Download
memory/2056-40-0x0000000000400000-0x000000000041C200-memory.dmp

Filesize
112KB

Download
memory/2336-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2336-12-0x0000000002670000-0x000000000268D000-memory.dmp

Filesize
116KB

Download
memory/2336-5-0x0000000000520000-0x0000000000529000-memory.dmp

Filesize
36KB

Download
memory/2336-19-0x0000000002670000-0x000000000268D000-memory.dmp

Filesize
116KB

Download
memory/2336-20-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3032-33-0x0000000000400000-0x000000000041C200-memory.dmp

Filesize
112KB

Download