Analysis

  • max time kernel
    42s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01/01/2024, 06:10

General

  • Target

    3c17072460aa23cf616534a6bd598572.exe

  • Size

    44KB

  • MD5

    3c17072460aa23cf616534a6bd598572

  • SHA1

    1fe72774a703e1686335064f82c5c95736de3676

  • SHA256

    47e5df70654cbcabc73440e2e29aa962baa66e09cfef1973cd9084c7b5b91b74

  • SHA512

    979a140476a2c2db40f3b6da3c01d4f53790fbf001567fb159ce3b221ca9fa5ad8b7d184cde0f511ddb45be1e485563f38a99d04dd8e92f802b4e4b8de241b8f

  • SSDEEP

    768:S/wzud6HJRgZR8jzcGg1nTGOuSijvCIvM3KOMMMMMMMMMMMMMMMMMMMMMMMMMMMS:86LgZRAoGgBFYeBVFT

Score
10/10

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c17072460aa23cf616534a6bd598572.exe
    "C:\Users\Admin\AppData\Local\Temp\3c17072460aa23cf616534a6bd598572.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Users\Admin\AppData\Local\Temp\3c17072460aa23cf616534a6bd598572.exe
      "C:\Users\Admin\AppData\Local\Temp\3c17072460aa23cf616534a6bd598572.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Windows security modification
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1700
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.cl/
        3⤵
        • Modifies Internet Explorer settings
        PID:2204
  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:275457 /prefetch:2
    1⤵
      PID:3020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      c2277d11ce83c4bab740da7f8725fb5b

      SHA1

      f2509d946b59d21ed2499a6667440a0c0c126e28

      SHA256

      a4a2bd1ae97993d79af49b32f146b74b077e48f16b4a1e6a5db492d7250788cf

      SHA512

      e349048f487ae792f3dd3d078d1f329bbb3bde3c6ff4f12ea1d6e1b54cef64ac0726f16a3d90f87d6c9b636606c3645d050b39433fb86aa21496db39633c69f5

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LFTKP12M\favicon[1].ico

      Filesize

      5KB

      MD5

      f3418a443e7d841097c714d69ec4bcb8

      SHA1

      49263695f6b0cdd72f45cf1b775e660fdc36c606

      SHA256

      6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

      SHA512

      82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

    • C:\Users\Admin\AppData\Local\Temp\CabDA98.tmp

      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    • memory/1700-27-0x00000000025B0000-0x00000000025BC000-memory.dmp

      Filesize

      48KB

    • memory/1700-7-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

    • memory/1700-511-0x00000000025B0000-0x00000000025BC000-memory.dmp

      Filesize

      48KB

    • memory/1700-17-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

    • memory/1700-11-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

    • memory/1700-21-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

    • memory/1700-24-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

    • memory/1700-26-0x0000000004DD0000-0x000000000588A000-memory.dmp

      Filesize

      10.7MB

    • memory/1700-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/1700-5-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

    • memory/1700-3-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

    • memory/2108-0-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/2108-20-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/2108-13-0x0000000000390000-0x00000000003AA000-memory.dmp

      Filesize

      104KB