afaffd0f014482a2bb5c43bac5841c120807b176e74cc279354a9dd916ac8cc9

Analysis

max time kernel
141s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2284d09841892754af3b9e19978a72bd.exe
Size

44KB
MD5

2284d09841892754af3b9e19978a72bd
SHA1

15f27dfc3637cb00fa7a194b4e2b6936e0399203
SHA256

afaffd0f014482a2bb5c43bac5841c120807b176e74cc279354a9dd916ac8cc9
SHA512

db483d6c9b5680d4b2a370dc5cd237969cf63757c5540c890da67ed1cffa5a4d9267952099d5b926b7525e31da91a8af7cad63eecc0cee35bb9934ce19e9022b
SSDEEP

768:0lJTfvi9Tg42da31YfUkoXuPmlf5IrvzxNId5R8m/l4PLBZDvXd8mSx:KJTfvsg42U6UkrmXlF/laZDXKmSx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2744	change-me-now.exe

Loads dropped DLL 2 IoCs

pid	Process
2056	2284d09841892754af3b9e19978a72bd.exe
2056	2284d09841892754af3b9e19978a72bd.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\change-me-now.exe\change-me-now.exe	change-me-now.exe
File created	C:\Windows\SysWOW64\change-me-now.exe\change-me-now.exe\change-me-now.exe	change-me-now.exe
File created	C:\Windows\SysWOW64\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe	change-me-now.exe
File opened for modification	C:\Windows\SysWOW64\change-me-now.exe	2284d09841892754af3b9e19978a72bd.exe
File created	C:\Windows\SysWOW64\change-me-now.exe	change-me-now.exe
File created	C:\Windows\SysWOW64\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe	change-me-now.exe
File created	C:\Windows\SysWOW64\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe	change-me-now.exe
File created	C:\Windows\SysWOW64\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe	change-me-now.exe
File created	C:\Windows\SysWOW64\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe	change-me-now.exe
File created	C:\Windows\SysWOW64\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe	change-me-now.exe
File created	C:\Windows\SysWOW64\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe	change-me-now.exe
File created	C:\Windows\SysWOW64\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe	change-me-now.exe
File created	C:\Windows\SysWOW64\change-me-now.exe	2284d09841892754af3b9e19978a72bd.exe
File created	C:\Windows\SysWOW64\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe	change-me-now.exe
File created	C:\Windows\SysWOW64\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe\change-me-now.exe	change-me-now.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2744	2056	2284d09841892754af3b9e19978a72bd.exe	28
PID 2056 wrote to memory of 2744	2056	2284d09841892754af3b9e19978a72bd.exe	28
PID 2056 wrote to memory of 2744	2056	2284d09841892754af3b9e19978a72bd.exe	28
PID 2056 wrote to memory of 2744	2056	2284d09841892754af3b9e19978a72bd.exe	28

C:\Users\Admin\AppData\Local\Temp\2284d09841892754af3b9e19978a72bd.exe
"C:\Users\Admin\AppData\Local\Temp\2284d09841892754af3b9e19978a72bd.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\change-me-now.exe
  C:\Windows\system32\change-me-now.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\change-me-now.exe

Filesize
44KB

MD5
2284d09841892754af3b9e19978a72bd

SHA1
15f27dfc3637cb00fa7a194b4e2b6936e0399203

SHA256
afaffd0f014482a2bb5c43bac5841c120807b176e74cc279354a9dd916ac8cc9

SHA512
db483d6c9b5680d4b2a370dc5cd237969cf63757c5540c890da67ed1cffa5a4d9267952099d5b926b7525e31da91a8af7cad63eecc0cee35bb9934ce19e9022b

Download Submit
memory/2056-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2744-10-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads