Analysis
-
max time kernel
171s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-01-2024 01:46
Static task
static1
Behavioral task
behavioral1
Sample
3b94f478fb801da81afd7983544cb2f4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3b94f478fb801da81afd7983544cb2f4.exe
Resource
win10v2004-20231222-en
General
-
Target
3b94f478fb801da81afd7983544cb2f4.exe
-
Size
566KB
-
MD5
3b94f478fb801da81afd7983544cb2f4
-
SHA1
7fd3ac83004ab23e9f8892f879c7ae5034a3a01f
-
SHA256
7e6d86b03ab9c804caef9672f27023c03c8e14a5db6e6c2838944da195facc10
-
SHA512
ac77f3e604cf9d0e18329ef02c52505c98c0bd575e03b8fe75542f2e3ce70599fe6857a08452cf3c759df9ea4782ce47f594faef09fe93425ff30cdeaab37014
-
SSDEEP
12288:/zpLFGQ8zenuINBX0mMybZi4pMItbtIplh6vgtgkBUXYhuIS6HOrE+2V6a:/zXZ8inuIn0ly1vpMSbmplYvY/BqJL6e
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 6 2716 rundll32.exe -
Modifies AppInit DLL entries 2 TTPs
-
Loads dropped DLL 14 IoCs
pid Process 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2716 rundll32.exe 2716 rundll32.exe 2716 rundll32.exe 2716 rundll32.exe 2716 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\catcfg40.dll_xserve = "rundll32.exe \"C:\\Windows\\SysWOW64\\catcfg40.dll\",xserve" rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\catcfg40.dll 3b94f478fb801da81afd7983544cb2f4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe 2840 rundll32.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2796 2712 3b94f478fb801da81afd7983544cb2f4.exe 27 PID 2712 wrote to memory of 2796 2712 3b94f478fb801da81afd7983544cb2f4.exe 27 PID 2712 wrote to memory of 2796 2712 3b94f478fb801da81afd7983544cb2f4.exe 27 PID 2712 wrote to memory of 2796 2712 3b94f478fb801da81afd7983544cb2f4.exe 27 PID 2712 wrote to memory of 2796 2712 3b94f478fb801da81afd7983544cb2f4.exe 27 PID 2712 wrote to memory of 2796 2712 3b94f478fb801da81afd7983544cb2f4.exe 27 PID 2712 wrote to memory of 2796 2712 3b94f478fb801da81afd7983544cb2f4.exe 27 PID 2796 wrote to memory of 2840 2796 rundll32.exe 28 PID 2796 wrote to memory of 2840 2796 rundll32.exe 28 PID 2796 wrote to memory of 2840 2796 rundll32.exe 28 PID 2796 wrote to memory of 2840 2796 rundll32.exe 28 PID 2796 wrote to memory of 2840 2796 rundll32.exe 28 PID 2796 wrote to memory of 2840 2796 rundll32.exe 28 PID 2796 wrote to memory of 2840 2796 rundll32.exe 28 PID 2796 wrote to memory of 2716 2796 rundll32.exe 29 PID 2796 wrote to memory of 2716 2796 rundll32.exe 29 PID 2796 wrote to memory of 2716 2796 rundll32.exe 29 PID 2796 wrote to memory of 2716 2796 rundll32.exe 29 PID 2796 wrote to memory of 2716 2796 rundll32.exe 29 PID 2796 wrote to memory of 2716 2796 rundll32.exe 29 PID 2796 wrote to memory of 2716 2796 rundll32.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b94f478fb801da81afd7983544cb2f4.exe"C:\Users\Admin\AppData\Local\Temp\3b94f478fb801da81afd7983544cb2f4.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\system32\catcfg40.dll",install2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\system32\catcfg40.dll",watch3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2840
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\system32\catcfg40.dll",xserve3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2716
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5c2b9da79cb641ac41c1c99dd258f055a
SHA16b2bcbcc882db91ebcd508c0d627385e8cdf9628
SHA256d79347c12d86433e0ffebb500bcadcaa1e23bfbc76f065971be511c93932ab09
SHA512882373bbd9db4c4a15ba2de9ebe8140d774f1bbc73605606452382a367a9932943a6fc7785b88da7de3cc3bbc51ac03c32af2e091e3a60bd078a22bd9fe7decb
-
Filesize
293KB
MD5cc0d891bb29fa825a99ac5131d9b11e4
SHA1040936e40060eec5ad8662c6ff1b6e96cdbb3f6d
SHA2562cf1387f703d9e947e2a2399e683a99881cf74b9bc0eb42a98f3135e795567aa
SHA512c1bc58ed1968fe144b8388083bfc3b875f638f83f8f9f6ddfa6ade36e65db8699b26c69335cffd53a595fee4ebb6da1f3991bf21105462555f2029a8f9237633
-
Filesize
286KB
MD5f199c64fb44e3f3d5543050049bd5c7f
SHA14f386e97a493b78ddbbe9cd4e3151b77cdbec2f8
SHA256d9f0a040dfb3c5033e8993342805bfc9a40a12af643fb3f74ebf3dc712d9d903
SHA512882a47d745fc09315fafccfb35bb6d0b026e765ea60144cd6a210e47d2e5b960a8f9640dbbf27aa6911fe634e31d5fb7c4d2bcce461ef58e87af01b4f68dc854
-
Filesize
230KB
MD5b9bf2fe3548a27f8365e040b70a66395
SHA1a51e15c5d5068066eb2791a02f6b33b36730bb7b
SHA2562decadc320ed14f3c063dd487c3dfb9a5a760cccec9d062c1fb9ca23e1af742a
SHA51247d3ebd6f6bb4c66501ee0c92364ffa4781d4028d68f3ac778ab1456c981f7c8c851211b0d061a4a389ba04ceacbc18459af9e184c38b3c7a4915f50b95ec3b3
-
Filesize
274KB
MD563abe86b537845af7035988ff6662fc7
SHA14aebd41737b13eb0641426eed1e17b53184fe75b
SHA256bb9310d5772af88265a072fb96390f68c6c1442cf7c6ee3f356038608a8f94da
SHA5120697cfe4899e07e4cc7fa6a7c3d01254317e617e1cc44ceab0e6f7d0a32e4f21fd05f9e800a0193f6a520af7177a576ca0bef9fef0182a19f9864123ab7d894b
-
Filesize
273KB
MD51363a51689c4fdc9748b4caf31b71fc9
SHA1007fe7fcfcf127d9f7e3c1fe69cfbe09c0579dc5
SHA25683e4d2d4a6289ed635f1a34c670347ffd5e6ce82f41ee79c69cb7bce56258c3b
SHA5126d51ead18f32c29f09e3a86a94aaa91f739ca8a2ae157db6fb6ac1415f8e804530e59b8dd5100a2950cc1c9d183e3dbbc3c1eef58cd963f019c650a2d14a2ecf
-
Filesize
288KB
MD5442630f621867787add0fe7d2c78a85e
SHA19ee82635da78f187b05e213e2b6e239bdefd7a48
SHA256653797444002f7fb59ba52108f578b007b7fa85223e029d130dcf66a2e7baf1d
SHA512328263f7a11e47262e750f4fc06d98e548a4f935b1d3922c654ad2a512c8f3718e06c9c53a95c600ee850a1165a935f0563f7cd80a5322992e53bc19273fdf27
-
Filesize
295KB
MD54fb5d3ad81e7d4cf1f571685e2a4a3f3
SHA16d459a8efd5816166f516cdbdcc9ab25b7219d78
SHA256afa8c19c0d8d6d4347d626b36cbd5ae779e792cd203783ce4401671471b113cb
SHA512d6912f3df18c7362b66d2b847cc440888ff7674498f0c6fa68c3201032c19659bf34e06aaf065b0a0c53a74ee8d98f90c2f9eba8e1af8d188184fa16f70adec8
-
Filesize
412KB
MD5ffc0c9d2be9712e6d285f3c646f67683
SHA1155d05c2ed4dad034c6d22260df8a214dfcc6426
SHA2560d654f223dd0c326e933c0cd781cd5c3bbe5b0d505a7729da053ddbbb7c0f451
SHA51242fb158ff7faae9dd26daba339763a8abeb9935f6193b855ce7343dee59ce41afdeb54c8343aaada5cc02e259f8261e415797e86164ce62563a9de5d78cb7505
-
Filesize
336KB
MD5d70b877dc2ec41eaa0471c64e8c2529f
SHA114e6530ea0c2cf00d46530c5d3163001287f7969
SHA256499022425ed940846ca3a0c9d147856cdd51ed7d0c2d04b885ad90df81ba2bd1
SHA512dc4de865dd19d5c0d873473a48c89692f9a8b40a94cf236517d7761f17933968ef1a48fcf20caaaad90444c0c8beac079547eb1ca38a213340ce1e2377e91c5c
-
Filesize
480KB
MD5c86dc06b4cb5f92d8822565b224bc265
SHA14ca4009ccc269d5b9d1636bdc5ad066ebbb0173d
SHA256bb11f3706177aad205490e47bc7199bda292c354c3e7462acf6d2e341d400454
SHA5121214e9026a365abf0849a78deaa83dbd5ac0a1ba260eb650b0c3a964e5d80f40af0f2bb774cf763fdd9733fd2f1988f4bc20cc014571397eafe328807b5c1219