Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 00:32
Static task
static1
Behavioral task
behavioral1
Sample
21d3f9689561df6f1111c30c2681555f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
21d3f9689561df6f1111c30c2681555f.exe
Resource
win10v2004-20231222-en
General
-
Target
21d3f9689561df6f1111c30c2681555f.exe
-
Size
327KB
-
MD5
21d3f9689561df6f1111c30c2681555f
-
SHA1
932843a307487852cc76f340808ec0763ac529d5
-
SHA256
052fb311740ae04a0ade1401a1a9312db0e7f1d8f1602950eda24498e624354c
-
SHA512
8a28071c506cfba2e27c04ca32e5dbc82cd64f1a1db7b74b47ad2394d88ee62b0f1afaf01891f093d524259d5e5bf182900f7e92dda06638bb2a016d6bc0486b
-
SSDEEP
6144:Zr469uEo2S1YnQmCX492DkwNP3qpYFGgjwuBGVdLAt4ZHd2i3gjd+ZD/6Fr:Zr4iu6/eIo4Rsw33AtsmQ6
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 2548 21d3f9689561df6f1111c30c2681555f.exe 2548 21d3f9689561df6f1111c30c2681555f.exe 2548 21d3f9689561df6f1111c30c2681555f.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 21d3f9689561df6f1111c30c2681555f.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum 21d3f9689561df6f1111c30c2681555f.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2548 21d3f9689561df6f1111c30c2681555f.exe 2548 21d3f9689561df6f1111c30c2681555f.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2548 wrote to memory of 3028 2548 21d3f9689561df6f1111c30c2681555f.exe 95 PID 2548 wrote to memory of 3028 2548 21d3f9689561df6f1111c30c2681555f.exe 95 PID 2548 wrote to memory of 3028 2548 21d3f9689561df6f1111c30c2681555f.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\21d3f9689561df6f1111c30c2681555f.exe"C:\Users\Admin\AppData\Local\Temp\21d3f9689561df6f1111c30c2681555f.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin7053.bat"2⤵PID:3028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1020B
MD5939cc2388bb1ce9629259aab647df0a3
SHA19cae7ae54376858144765944f1bededeb787f7f7
SHA25682c6e4432e96398f4472385e965ef268fea0c00e826a4244a6e93132184f31a0
SHA51295bc32f112d00f9a5ce1676a4c020eecfe64db49f03c45e9ab4375bf3a9d7a3bb1fed74e815b06159dc2714afa6ba0cd4b770c303f429ae9c886cf19be7d5649
-
Filesize
92KB
MD51f905acec7b77e7b5a1c6c85c397acfc
SHA122331834ed8b991c4db0695f9c677316b0b7c592
SHA256bb6cb380d01828b1f53b98f8dada1e9b879cf1b959145f3071ed5bf4016307be
SHA512c8d925b0d8636ae9434f0c1c6bed739a2c3e7108642e9e32e5aac28a383cab9a2aa63773eea20e1cd0504a75bb2c0fbb7923cacb2ab1d0450e307e5e4cf507d4
-
Filesize
92KB
MD569d3b5145a4ad4bbd7e060a64d6ba852
SHA18ee672aa1cedd924381304784344a62a40f39c29
SHA25689250bf73e501d37ad85c84468ffeab70241763da4705b98776a788a5171b8e1
SHA5126451887d9c0a4370bf8cbcfc85ed1458f08a5c62ba458a80e2b0f6bf78f32cd96a47d8f635e3e13a82a048a587191ba1106aec36e65dc0ab6030b5a9c8cdd349