Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 05:13
Static task
static1
Behavioral task
behavioral1
Sample
298d292b1dbe4f746d3c3a7c4725e150.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
298d292b1dbe4f746d3c3a7c4725e150.exe
Resource
win10v2004-20231215-en
General
-
Target
298d292b1dbe4f746d3c3a7c4725e150.exe
-
Size
184KB
-
MD5
298d292b1dbe4f746d3c3a7c4725e150
-
SHA1
9f5333a1518330bb9855b14bff56d37a1479b18c
-
SHA256
31c85ad0d3b8506222d7eafac77a7fedf6f0e176d7c1eba8ca2753ebcdc07081
-
SHA512
c037539fbfd567d0a0d97ca066cff42f09c95ed62a930cf3307983ffb5d83bd66eeaa0c9cc7eb8037c648fab82c7baafe2e48ef98f8109cff288e4930482c819
-
SSDEEP
3072:mk2kO1HTcdFqA6lEoj+nncGz2HMN0PD1nIXeelDI:p2XpcdoAeScHMN0b1nIu
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2112 cmd.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\~rv.bat 298d292b1dbe4f746d3c3a7c4725e150.exe File created C:\Windows\SysWOW64\pmssvp.dll 298d292b1dbe4f746d3c3a7c4725e150.exe File opened for modification C:\Windows\SysWOW64\pmssvp.dll 298d292b1dbe4f746d3c3a7c4725e150.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msxml2.DOMDocument.3.8 298d292b1dbe4f746d3c3a7c4725e150.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msxml2.DOMDocument.3.8\CLSID 298d292b1dbe4f746d3c3a7c4725e150.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msxml2.DOMDocument.3.8\CLSID\ = "{88d96a05-f192-11d4-a65f-0040963251e5}" 298d292b1dbe4f746d3c3a7c4725e150.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1940 298d292b1dbe4f746d3c3a7c4725e150.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1940 298d292b1dbe4f746d3c3a7c4725e150.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1940 wrote to memory of 1080 1940 298d292b1dbe4f746d3c3a7c4725e150.exe 9 PID 1940 wrote to memory of 2112 1940 298d292b1dbe4f746d3c3a7c4725e150.exe 28 PID 1940 wrote to memory of 2112 1940 298d292b1dbe4f746d3c3a7c4725e150.exe 28 PID 1940 wrote to memory of 2112 1940 298d292b1dbe4f746d3c3a7c4725e150.exe 28 PID 1940 wrote to memory of 2112 1940 298d292b1dbe4f746d3c3a7c4725e150.exe 28
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\298d292b1dbe4f746d3c3a7c4725e150.exe"C:\Users\Admin\AppData\Local\Temp\298d292b1dbe4f746d3c3a7c4725e150.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\~rv.bat2⤵
- Deletes itself
PID:2112
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
301B
MD5c53de1152ec5377f1171436ed80d784e
SHA16b0f0728f92a739cdc52ed93f53a38b69ca10ef1
SHA256ac8e5638bbf2a64b02243c36f6bd746cce2a7bc118d9a21418f1d0824f7b8b8e
SHA5126495c2d9b0f347474264c22be34be13f495d96284a4f896b36cef22c78c09b62b8982b5de9c4f83f4c799be4fc6e44896165b1f6a46e95896576bbded0b796d3