Overview

overview

8

Static

static

3

2d5d90d503...19.exe

windows7-x64

8

2d5d90d503...19.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 07:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d5d90d503605ce6f9ac493d72680d19.exe

  • Size

    99KB

  • MD5

    2d5d90d503605ce6f9ac493d72680d19

  • SHA1

    ecd80682ed4544fad3da63250b177f6ce04df7e3

  • SHA256

    df673aec5df7bdf30ef6699d45abedf4d9e5081471528981223fd47b11068484

  • SHA512

    66b01ff11887c613e261635525f2614a03308744d9de7a84398afc01a08e461bc599e062bd9c83ffb1b47a66fabd4e7e5576a4ad923a159ea004c2c2d8a37972

  • SSDEEP

    1536:n2YnE4M0TMuE89bEKSnCn5mNRqRF1zyoK1EnNAiiRegbOC7:2YE4MmMuESoqn5yR4FVysm3EC7

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 8 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" create ufat32 type= share start= auto DisplayName= "FAT Utility DLL" group= "Event Log" binPath= "rundll32.exe C:\Windows\system32\ufat32.dll,ytus"
    1⤵
    • Launches sc.exe
    PID:2640
  • C:\Users\Admin\AppData\Local\Temp\2d5d90d503605ce6f9ac493d72680d19.exe
    "C:\Users\Admin\AppData\Local\Temp\2d5d90d503605ce6f9ac493d72680d19.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe firewall add portopening TCP 1715 messenger
      2⤵
      • Modifies Windows Firewall
      PID:2660
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" description ufat32 "FAT Utility DLL"
      2⤵
      • Launches sc.exe
      PID:2484
    • C:\Users\Admin\AppData\Local\Temp\4cb8ab14.exe
      "C:\Users\Admin\AppData\Local\Temp\4cb8ab14.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2800
  • C:\Windows\SysWOW64\regedit.exe
    regedit.exe -s C:\ParaTemp.reg
    1⤵
    • Runs .reg file with regedit
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\4cb8ab14.exe
    Filesize

    4KB

    MD5

    e6530213df7a3a99834341697287ec2f

    SHA1

    fc7de2d227e16766feb6b4ec5d480b55e53840aa

    SHA256

    a3e939fe85d84fd9a15a7e654b0334c29d22142ec91f9f9ef3bda8538b08991b

    SHA512

    5bdf1e3dc2ed0e13e1e22d4281dddbb9f8d54ea3d6225aaa3a8d9f56943e547baf2a5520db3355cb3441b3d85afbbc412208b60b1deaed26e8f67d7795371a88

    Download Submit

  • memory/2440-2-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2440-18-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2800-21-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download