Analysis
-
max time kernel
127s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 12:20
Static task
static1
Behavioral task
behavioral1
Sample
35fc17285530e2e4cca50280b5f4b4b1.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
35fc17285530e2e4cca50280b5f4b4b1.exe
Resource
win10v2004-20231222-en
General
-
Target
35fc17285530e2e4cca50280b5f4b4b1.exe
-
Size
100KB
-
MD5
35fc17285530e2e4cca50280b5f4b4b1
-
SHA1
eeb99a190a22a13e28f54aac5fc90364c1061064
-
SHA256
e65e98c2c80f48b6a7c49b10e60ce0a02d1bc227dcccc407afd9b385cc99c252
-
SHA512
549ff273187337621fc477f6d52aecde1af34a557f75e258d81d559a2966933674e34e88f84f7a0c68fbf4cb5e533b086402687203714158f36f63664a109b41
-
SSDEEP
3072:BnCmdNuEYbWfWLHtTBfNtyi0xNLb4CC0Tyl6pwu1kC:BZbuTbqWLHtTBVtyi0f8CCSyAPb
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\beep.sys 35fc17285530e2e4cca50280b5f4b4b1.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\netdde\Parameters\ServiceDll = "C:\\Windows\\system32\\TambtsD.dll" 35fc17285530e2e4cca50280b5f4b4b1.exe -
Deletes itself 1 IoCs
pid Process 2948 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2860 35fc17285530e2e4cca50280b5f4b4b1.exe 2980 svchost.exe -
resource yara_rule behavioral1/memory/2980-9-0x0000000010000000-0x0000000010019000-memory.dmp vmprotect behavioral1/files/0x000c0000000133ba-8.dat vmprotect behavioral1/memory/2860-6-0x0000000010000000-0x0000000010019000-memory.dmp vmprotect -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\TambtsD.dll 35fc17285530e2e4cca50280b5f4b4b1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2860 35fc17285530e2e4cca50280b5f4b4b1.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 476 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2860 35fc17285530e2e4cca50280b5f4b4b1.exe Token: SeIncBasePriorityPrivilege 2860 35fc17285530e2e4cca50280b5f4b4b1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2948 2860 35fc17285530e2e4cca50280b5f4b4b1.exe 17 PID 2860 wrote to memory of 2948 2860 35fc17285530e2e4cca50280b5f4b4b1.exe 17 PID 2860 wrote to memory of 2948 2860 35fc17285530e2e4cca50280b5f4b4b1.exe 17 PID 2860 wrote to memory of 2948 2860 35fc17285530e2e4cca50280b5f4b4b1.exe 17
Processes
-
C:\Users\Admin\AppData\Local\Temp\35fc17285530e2e4cca50280b5f4b4b1.exe"C:\Users\Admin\AppData\Local\Temp\35fc17285530e2e4cca50280b5f4b4b1.exe"1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\35FC17~1.EXE > nul2⤵
- Deletes itself
PID:2948
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k krnlsrvc1⤵
- Loads dropped DLL
PID:2980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5db603e204991123fbd757e4756555931
SHA169c6299a1590d51bf28fa8f64d0119d8af246e19
SHA25633578f21466c058bb343b302e3d8f4d6683b2b961f71d89342117b4038c176b3
SHA512468813dbbf44334f934775ab3605424e30fad594939893107dd6d3eab77793ceb5b4d62c05ab7802e31374ded402cae7c6fd250e5f5ffc281ce698d619051691