Analysis
-
max time kernel
0s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 10:16
Behavioral task
behavioral1
Sample
325bbbe1ee2f09f72e1084acae849bf8.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
325bbbe1ee2f09f72e1084acae849bf8.exe
Resource
win10v2004-20231215-en
General
-
Target
325bbbe1ee2f09f72e1084acae849bf8.exe
-
Size
18.6MB
-
MD5
325bbbe1ee2f09f72e1084acae849bf8
-
SHA1
f75c355e3277410919f5c7b7436fbcaa8b86fce1
-
SHA256
c605e919a0b6a36830a388be8e43a29a81139d095cea8f04269a349872afdebe
-
SHA512
506685f3a72c3f489aaf239d7190893aa4ec89eceab12cf858bdfa237ee2883f1397432aa5fb9b8951bb6097ae0970685d44227fbca0f08e8f5371f5200bc79c
-
SSDEEP
393216:mAP1dyZTDeIRs4dpRhuGCTxhAQZTAkWNGgp:T1qDeIRLutt/TAt5
Malware Config
Signatures
-
Loads dropped DLL 12 IoCs
pid Process 2360 325bbbe1ee2f09f72e1084acae849bf8.exe 2360 325bbbe1ee2f09f72e1084acae849bf8.exe 2360 325bbbe1ee2f09f72e1084acae849bf8.exe 2360 325bbbe1ee2f09f72e1084acae849bf8.exe 2360 325bbbe1ee2f09f72e1084acae849bf8.exe 2360 325bbbe1ee2f09f72e1084acae849bf8.exe 2360 325bbbe1ee2f09f72e1084acae849bf8.exe 2360 325bbbe1ee2f09f72e1084acae849bf8.exe 2360 325bbbe1ee2f09f72e1084acae849bf8.exe 2360 325bbbe1ee2f09f72e1084acae849bf8.exe 2360 325bbbe1ee2f09f72e1084acae849bf8.exe 2360 325bbbe1ee2f09f72e1084acae849bf8.exe -
resource yara_rule behavioral1/files/0x0006000000018ba1-187.dat vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3024 wrote to memory of 2360 3024 325bbbe1ee2f09f72e1084acae849bf8.exe 28 PID 3024 wrote to memory of 2360 3024 325bbbe1ee2f09f72e1084acae849bf8.exe 28 PID 3024 wrote to memory of 2360 3024 325bbbe1ee2f09f72e1084acae849bf8.exe 28 PID 3024 wrote to memory of 2360 3024 325bbbe1ee2f09f72e1084acae849bf8.exe 28 PID 2360 wrote to memory of 2928 2360 325bbbe1ee2f09f72e1084acae849bf8.exe 22 PID 2360 wrote to memory of 2928 2360 325bbbe1ee2f09f72e1084acae849bf8.exe 22 PID 2360 wrote to memory of 2928 2360 325bbbe1ee2f09f72e1084acae849bf8.exe 22 PID 2360 wrote to memory of 2928 2360 325bbbe1ee2f09f72e1084acae849bf8.exe 22 PID 2928 wrote to memory of 2856 2928 325bbbe1ee2f09f72e1084acae849bf8.exe 23 PID 2928 wrote to memory of 2856 2928 325bbbe1ee2f09f72e1084acae849bf8.exe 23 PID 2928 wrote to memory of 2856 2928 325bbbe1ee2f09f72e1084acae849bf8.exe 23 PID 2928 wrote to memory of 2856 2928 325bbbe1ee2f09f72e1084acae849bf8.exe 23
Processes
-
C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe"C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe"C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360
-
-
C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe"C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe" C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe asadmin1⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe"C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe" C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe asadmin2⤵PID:2856
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe"3⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\Defender.exe"C:\Users\Admin\AppData\Local\Temp\Defender.exe" /D4⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\Defender.exe"C:\Users\Admin\AppData\Local\Temp\Defender.exe" /SYS 15⤵PID:1080
-
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.1MB
MD5e45ec446aff1a32b03c47d5240c94902
SHA10f9055f732a8c66406a5becb9ae7b89d42d1a129
SHA2562b1412f56d4356e96d4563957cb22a2025e19066de0b335314ce045540eaa6d3
SHA5123ef70f8dfdcbfaad0391812e11e4fc66e02940ff42664f2eea786c231e864acb9854c7b867d1edf92775926a7c4dd464f39d0380cdb902784a8fdeac54f70316
-
Filesize
621KB
MD522709abae1f01d878942f391cabedd91
SHA1afbdaed36dbfb2697df1f495fa878f87d5eb886d
SHA2568fcfde3960b39846c6c20f876df883dd18ad68a8e915a9adf52ddc7d0289ffbf
SHA51208accd27d7bdbd742c8d64a53ad40125cb848566bf6dd56e705647c99196861d4c779a040996f74d8b603f46d4a203f05636d34e02942efda5dd2615ebabdcb8
-
Filesize
233B
MD5cd4326a6fd01cd3ca77cfd8d0f53821b
SHA1a1030414d1f8e5d5a6e89d5a309921b8920856f9
SHA2561c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c
SHA51229ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67
-
Filesize
37KB
MD54f4cfdec02b700d2582f27f6943a1f81
SHA137027566e228abba3cc596ae860110638231da14
SHA25618a13223c2587bc03ce14be7a63325f3c60d6f805e1bb96e32025ecdc1d620b7
SHA512146128ecb8bc682510a92f58cea58bfed68a215438d235b1b79ad6e0ef1f0f6a6b9400c7b83d70ddf7d8a22a5bcaca17b6532650192b4448e811dd7b4335b592
-
Filesize
802KB
MD5ac34ba84a5054cd701efad5dd14645c9
SHA1dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b
SHA256c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e
SHA512df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a