Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 05:48
Behavioral task
behavioral1
Sample
2a9c6866c54dada1b35d93dc1b4fda70.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2a9c6866c54dada1b35d93dc1b4fda70.exe
Resource
win10v2004-20231222-en
General
-
Target
2a9c6866c54dada1b35d93dc1b4fda70.exe
-
Size
10KB
-
MD5
2a9c6866c54dada1b35d93dc1b4fda70
-
SHA1
dea25f93eef92f7b125b7e091002cf50f093e4f5
-
SHA256
025a59820a9d4864aac68959398967b67de3567fbc6865fed28fd50e6c844588
-
SHA512
2abdd652c7f5613f995c80a9ff56cd28db6cd44c0150aa52c4df34ccd75f3e43c58e9fb07193d1a7bb219fdf91dc44b6b24df72f183553a6fd1581240cf2e204
-
SSDEEP
192:Rywqv+F7pQtH5dWVJLD9popPzvKx1jRN6TDzi/6DGLdtYvZcLbf+OHTTFZ:I5g7pQtHDYLD0p2n+DO/I6YvObjzr
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Deletes itself 1 IoCs
pid Process 2268 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2792 comboausk.exe -
Loads dropped DLL 2 IoCs
pid Process 2436 2a9c6866c54dada1b35d93dc1b4fda70.exe 2436 2a9c6866c54dada1b35d93dc1b4fda70.exe -
resource yara_rule behavioral1/memory/2436-0-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/files/0x0021000000015c63-3.dat upx behavioral1/memory/2436-4-0x0000000000030000-0x000000000003E000-memory.dmp upx behavioral1/memory/2436-11-0x0000000000030000-0x000000000003E000-memory.dmp upx behavioral1/memory/2792-12-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2436-20-0x0000000000400000-0x000000000040E000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\comboaus.dll 2a9c6866c54dada1b35d93dc1b4fda70.exe File created C:\Windows\SysWOW64\comboausk.exe 2a9c6866c54dada1b35d93dc1b4fda70.exe File opened for modification C:\Windows\SysWOW64\comboausk.exe 2a9c6866c54dada1b35d93dc1b4fda70.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2436 2a9c6866c54dada1b35d93dc1b4fda70.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2436 wrote to memory of 2792 2436 2a9c6866c54dada1b35d93dc1b4fda70.exe 28 PID 2436 wrote to memory of 2792 2436 2a9c6866c54dada1b35d93dc1b4fda70.exe 28 PID 2436 wrote to memory of 2792 2436 2a9c6866c54dada1b35d93dc1b4fda70.exe 28 PID 2436 wrote to memory of 2792 2436 2a9c6866c54dada1b35d93dc1b4fda70.exe 28 PID 2436 wrote to memory of 2268 2436 2a9c6866c54dada1b35d93dc1b4fda70.exe 29 PID 2436 wrote to memory of 2268 2436 2a9c6866c54dada1b35d93dc1b4fda70.exe 29 PID 2436 wrote to memory of 2268 2436 2a9c6866c54dada1b35d93dc1b4fda70.exe 29 PID 2436 wrote to memory of 2268 2436 2a9c6866c54dada1b35d93dc1b4fda70.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a9c6866c54dada1b35d93dc1b4fda70.exe"C:\Users\Admin\AppData\Local\Temp\2a9c6866c54dada1b35d93dc1b4fda70.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\comboausk.exeC:\Windows\system32\comboausk.exe ˜‰2⤵
- Executes dropped EXE
PID:2792
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\2a9c6866c54dada1b35d93dc1b4fda70.exe.bat2⤵
- Deletes itself
PID:2268
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD55a332eb591d52894682088ec5ad6a031
SHA143445b7badfd771e534703797bfdfcacb8bc6dc1
SHA256ba6840457c8a916d363b5c710a8ec5797391b20f46d387ad462e20fa24b6f79d
SHA5127bd5def3d99fea70fb92a4cb2e68dcf335e04151f755704d7641fed619c5944e228ecf9213d892ffc9ef316d492b85f55640d43fb4387233b8e57fa4082f1bbf
-
Filesize
10KB
MD52a9c6866c54dada1b35d93dc1b4fda70
SHA1dea25f93eef92f7b125b7e091002cf50f093e4f5
SHA256025a59820a9d4864aac68959398967b67de3567fbc6865fed28fd50e6c844588
SHA5122abdd652c7f5613f995c80a9ff56cd28db6cd44c0150aa52c4df34ccd75f3e43c58e9fb07193d1a7bb219fdf91dc44b6b24df72f183553a6fd1581240cf2e204