Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-12-2023 12:27
Static task
static1
Behavioral task
behavioral1
Sample
1881aa92cece59c3cdc606a28e0f5b46.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1881aa92cece59c3cdc606a28e0f5b46.exe
Resource
win10v2004-20231215-en
General
-
Target
1881aa92cece59c3cdc606a28e0f5b46.exe
-
Size
7KB
-
MD5
1881aa92cece59c3cdc606a28e0f5b46
-
SHA1
35951a487fb2696a76fdc71ab40459a6ec9ef2fb
-
SHA256
0a41ca962239a22f41d88370c02fc117d98f0d7cd333d8272a9e258cc4b7327a
-
SHA512
63b27c169cdc7116bdd7dc049f326eb2b88755bb3a06af62daaad99d5697fffdbd7e54b78b7b96250190164992a1d5235bd66b300116931c3db5527f8a58cd12
-
SSDEEP
192:MYRnJcVcjcDcSeeWhQ2P3Sjf0201zF2piDPbpQSzECXap:MuWVc4QSee/2vSjfT01zF2piDDRY
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2464 rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 2464 rundll32.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\sys07002.dll rundll32.exe File created C:\Windows\SysWOW64\sys07002.sys rundll32.exe File created C:\Windows\SysWOW64\gdipro.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\gdipro.dll rundll32.exe File created C:\Windows\SysWOW64\srpcss.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\srpcss.dll rundll32.exe File created C:\Windows\SysWOW64\sys07002.dll rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2464 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2464 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2464 2060 1881aa92cece59c3cdc606a28e0f5b46.exe 28 PID 2060 wrote to memory of 2464 2060 1881aa92cece59c3cdc606a28e0f5b46.exe 28 PID 2060 wrote to memory of 2464 2060 1881aa92cece59c3cdc606a28e0f5b46.exe 28 PID 2060 wrote to memory of 2464 2060 1881aa92cece59c3cdc606a28e0f5b46.exe 28 PID 2060 wrote to memory of 2464 2060 1881aa92cece59c3cdc606a28e0f5b46.exe 28 PID 2060 wrote to memory of 2464 2060 1881aa92cece59c3cdc606a28e0f5b46.exe 28 PID 2060 wrote to memory of 2464 2060 1881aa92cece59c3cdc606a28e0f5b46.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\1881aa92cece59c3cdc606a28e0f5b46.exe"C:\Users\Admin\AppData\Local\Temp\1881aa92cece59c3cdc606a28e0f5b46.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\~f7668f0.tmp INS C:\Users\Admin\AppData\Local\Temp\1881aa92cece59c3cdc606a28e0f5b46.exe2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2464
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD55dfdd5e48502ab22e3cd7c1922c2e286
SHA1c27bc9a4269adb96b4ac04ab6ef9e2be05c34ea1
SHA2561660178e47b76ea584f387f9c82bedb4e049616452ccfad291bce4da1804767d
SHA512ea2e806fd44b530b632c3ca97ec9b785171caa05328ba07c317e227a3fc15b72d4437ef2e17020789fb6acda5fe134d0d14a1d1ede8a9d55f066d671c59ec0b8