Overview

overview

8

Static

static

3

2c50e023a7...76.exe

windows7-x64

8

2c50e023a7...76.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    138s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 06:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2c50e023a70ce3e815fa3dafec03ca76.exe

  • Size

    10KB

  • MD5

    2c50e023a70ce3e815fa3dafec03ca76

  • SHA1

    f36008f81d8a8ac4882fc6655fe9d509f1554e94

  • SHA256

    2d56af34d26bee94fd603a8936d996670c9073c87a12f421e486946938b2c106

  • SHA512

    9468a3a2bfd1a02988e1dfeb85e409dd81f520bc8b44f69fda0fc299eb2e3466d0bfc952173bae05742c6c04fc912a611e81c62f08b5e6dc59bc4ee8baebf79f

  • SSDEEP

    192:fTBgqPYKAo2KF1lcCDZDp1ChDd3xZp0TUMAMKwkHR4p2KNGrUhU/yTDl:+AAo2o1ljD5a/zp0wMRTp2KNGgGs

Score
8/10
persistence

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 6 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c50e023a70ce3e815fa3dafec03ca76.exe
    "C:\Users\Admin\AppData\Local\Temp\2c50e023a70ce3e815fa3dafec03ca76.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\killme.bat
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2912
  • C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    1⤵
    • Gathers network information
    PID:1292
  • C:\Windows\Tasks\ghost.exe
    C:\Windows\Tasks\ghost.exe
    1⤵
    • Drops file in Drivers directory
    • Modifies Installed Components in the registry
    • Executes dropped EXE
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2768

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          912B

          MD5

          48ec95bacc8186d72cce11b9584faeb7

          SHA1

          0a6900de60be125b545d36a55f56bd0f7db18d32

          SHA256

          402d34fd239a2ecdc35929964d2ba2b8094fc601cee519955734994c67d3d79c

          SHA512

          42115db0a178b8ff4f80d932b1c716724f52159c9e00cab154c6b984bbc1a726947c560cf74821a49876b7d9fa491791e5a5ce5a6e3545ee6fd7c5a0bfc6873d

          Download Submit

        • C:\Windows\Tasks\ghost.exe
          Filesize

          10KB

          MD5

          a060ebf59e324ab574b810d562b698a2

          SHA1

          cd5dbd26a2306510597ac53420d741f2cc8d6e31

          SHA256

          a74458b1c94b60065f66429f096349789beb2a43e58dda9889591cca1c0dba67

          SHA512

          c85bb6db3f3429399e24cced1e9a818859a8c01e10a044c29a31eca85824f3933d2132f5c56b67eeae41d8761b1600811382c5d99ce02e45fa5d866fe743d003

          Download Submit

        • C:\Windows\Tasks\hackshen.vbs
          Filesize

          97B

          MD5

          1116c85bde2127bf8df9b9f9315fa76e

          SHA1

          c840088467ed3a448ed113bb1fac61ad28c41867

          SHA256

          56632bd650aca56d077bd6ad20b0db1b34968ff90dcbeb083cf4cd1b6f80cdba

          SHA512

          054cf51780ddfa128a66ca1ea46a5927a2c4cf27794079902c5907ff0f0bd9792d3c22663888efea7436613ff162aa36a822b71cfed47e1e45082a7d5fb2930c

          Download Submit

        • \??\c:\killme.bat
          Filesize

          131B

          MD5

          4cae0940ea383a15ca9fa89763c62063

          SHA1

          ef83f9b8b3b0a89e84ae60ae2d07bcd84121901c

          SHA256

          638f82fb8e74a6c464b48664f8ee8dcd6de457b7be69336187ebd9ada532dd94

          SHA512

          0c074ae55f9c69347be1bdf72ee9c5b3c99eded3b3121ac221ab4d5075d6fedda6bca26836f72cca1a7971333ca76677f55322800f0b52cfac260e64974ab16f

          Download Submit

        • memory/2532-8-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/2768-22-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/2768-48-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/2768-82-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/2768-110-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/2768-355-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download