Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 06:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2c136aa55d66577608f8d74d3ff0d1cc.exe
Resource
win7-20231215-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
2c136aa55d66577608f8d74d3ff0d1cc.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2c136aa55d66577608f8d74d3ff0d1cc.exe
-
Size
2KB
-
MD5
2c136aa55d66577608f8d74d3ff0d1cc
-
SHA1
516ecb3377bebffd5cc6a73b012e8990fdb66be0
-
SHA256
1e539e4edb08c5fd4a091ca8b96c44e3c3c11034483b9a75d184c5affca68a03
-
SHA512
efee1ddfd4834d68a70c5bc6bc1a5336420458dd735e7369027758a3347b9fefa2ba37a864536dfba339e46c61d9df961307e819b40fd6f7eae316da20ec20fb
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\regedit.exe attrib.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENT~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_9587~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~2.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~3.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~1.DLL cmd.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe cmd.exe File opened for modification C:\Windows\system.ini attrib.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\INKDIV~1.8F0 cmd.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe cmd.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_BA02~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\MICROS~3.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~1.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~1 cmd.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe cmd.exe File opened for modification C:\Windows\DtcInstall.log attrib.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_3369~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENT~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~4 cmd.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\PDXFIL~1.ICO cmd.exe File opened for modification C:\Windows\Installer\1a6d.msp cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_A468~1 cmd.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\ShellUI.MST cmd.exe File opened for modification C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\ShellUI.MST cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_53EF~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRBFC1~1.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~3.DLL cmd.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~3.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~3 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PENIMC~1.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PENIMC~4.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~1.DLL cmd.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe cmd.exe File opened for modification C:\Windows\win.ini attrib.exe File opened for modification C:\Windows\WMSysPr9.prx attrib.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~4.DLL cmd.exe File opened for modification C:\Windows\HelpPane.exe attrib.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~2 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_D2B9~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENT~2 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PR5A6B~1.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~1 cmd.exe File opened for modification C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\misc.exe cmd.exe File opened for modification C:\Windows\twunk_16.exe attrib.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_038A~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_3C0D~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENT~4 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_68A2~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~3 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYDE67~1.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UI9BD8~1.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENT~4 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_FCCC~1 cmd.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\FDFFIL~1.ICO cmd.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_REA~1.EXE cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~3 cmd.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe cmd.exe File opened for modification C:\Windows\twain.dll attrib.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UI99F2~1.DLL cmd.exe File opened for modification C:\Windows\setupact.log attrib.exe File opened for modification C:\Windows\setuperr.log attrib.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe cmd.exe File opened for modification C:\Windows\fveupdate.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2800 wrote to memory of 2032 2800 2c136aa55d66577608f8d74d3ff0d1cc.exe 28 PID 2800 wrote to memory of 2032 2800 2c136aa55d66577608f8d74d3ff0d1cc.exe 28 PID 2800 wrote to memory of 2032 2800 2c136aa55d66577608f8d74d3ff0d1cc.exe 28 PID 2800 wrote to memory of 2032 2800 2c136aa55d66577608f8d74d3ff0d1cc.exe 28 PID 2032 wrote to memory of 2376 2032 cmd.exe 30 PID 2032 wrote to memory of 2376 2032 cmd.exe 30 PID 2032 wrote to memory of 2376 2032 cmd.exe 30 PID 2032 wrote to memory of 2376 2032 cmd.exe 30 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2376 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c136aa55d66577608f8d74d3ff0d1cc.exe"C:\Users\Admin\AppData\Local\Temp\2c136aa55d66577608f8d74d3ff0d1cc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\c0ldW4ff3lz.bat" "2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\attrib.exeATTRIB -S -H -R -A C:\Windows\*3⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Views/modifies file attributes
PID:2376
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5ac6dc4ca9cd7dfc654f8994603163ad7
SHA1190b3c2d7268a1526b7cf6c3e9d5a2ac400e151f
SHA256fc94bbf991dfc7e5ece390ec84b0f93b21aeac47667a90d302ee382764cfa820
SHA5120c34191973e299c803be4aa439a56791ba5ad6db7bf17981978167724c133f1016006871d0a4919ca53d61dc6c2dedf625efa94d205a5b4efdae9e254aafde8c