Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 12:20
Static task
static1
Behavioral task
behavioral1
Sample
35fc17285530e2e4cca50280b5f4b4b1.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
35fc17285530e2e4cca50280b5f4b4b1.exe
Resource
win10v2004-20231222-en
General
-
Target
35fc17285530e2e4cca50280b5f4b4b1.exe
-
Size
100KB
-
MD5
35fc17285530e2e4cca50280b5f4b4b1
-
SHA1
eeb99a190a22a13e28f54aac5fc90364c1061064
-
SHA256
e65e98c2c80f48b6a7c49b10e60ce0a02d1bc227dcccc407afd9b385cc99c252
-
SHA512
549ff273187337621fc477f6d52aecde1af34a557f75e258d81d559a2966933674e34e88f84f7a0c68fbf4cb5e533b086402687203714158f36f63664a109b41
-
SSDEEP
3072:BnCmdNuEYbWfWLHtTBfNtyi0xNLb4CC0Tyl6pwu1kC:BZbuTbqWLHtTBVtyi0f8CCSyAPb
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\beep.sys 35fc17285530e2e4cca50280b5f4b4b1.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\netdde\Parameters\ServiceDll = "C:\\Windows\\system32\\TfmitxD.dll" 35fc17285530e2e4cca50280b5f4b4b1.exe -
Loads dropped DLL 2 IoCs
pid Process 1760 35fc17285530e2e4cca50280b5f4b4b1.exe 2716 svchost.exe -
resource yara_rule behavioral2/files/0x000700000002320a-4.dat vmprotect behavioral2/files/0x000700000002320a-8.dat vmprotect behavioral2/memory/2716-10-0x0000000010000000-0x0000000010019000-memory.dmp vmprotect behavioral2/memory/1760-6-0x0000000010000000-0x0000000010019000-memory.dmp vmprotect behavioral2/memory/2716-11-0x0000000010000000-0x0000000010019000-memory.dmp vmprotect -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\TfmitxD.dll 35fc17285530e2e4cca50280b5f4b4b1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1760 35fc17285530e2e4cca50280b5f4b4b1.exe 1760 35fc17285530e2e4cca50280b5f4b4b1.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1760 35fc17285530e2e4cca50280b5f4b4b1.exe Token: SeIncBasePriorityPrivilege 1760 35fc17285530e2e4cca50280b5f4b4b1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1760 wrote to memory of 2036 1760 35fc17285530e2e4cca50280b5f4b4b1.exe 19 PID 1760 wrote to memory of 2036 1760 35fc17285530e2e4cca50280b5f4b4b1.exe 19 PID 1760 wrote to memory of 2036 1760 35fc17285530e2e4cca50280b5f4b4b1.exe 19
Processes
-
C:\Users\Admin\AppData\Local\Temp\35fc17285530e2e4cca50280b5f4b4b1.exe"C:\Users\Admin\AppData\Local\Temp\35fc17285530e2e4cca50280b5f4b4b1.exe"1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\35FC17~1.EXE > nul2⤵PID:2036
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k krnlsrvc1⤵
- Loads dropped DLL
PID:2716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5db603e204991123fbd757e4756555931
SHA169c6299a1590d51bf28fa8f64d0119d8af246e19
SHA25633578f21466c058bb343b302e3d8f4d6683b2b961f71d89342117b4038c176b3
SHA512468813dbbf44334f934775ab3605424e30fad594939893107dd6d3eab77793ceb5b4d62c05ab7802e31374ded402cae7c6fd250e5f5ffc281ce698d619051691