f6ed571ede58aaabbba5cd9626e080c3ffc4d713ec34a8a66f102829ac57d48b

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 12:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3ce7c9d19978942c23f7138342d92498.exe
Size

95KB
MD5

3ce7c9d19978942c23f7138342d92498
SHA1

5c6f5bdd6f71d44dcbf9a0bcea6c82fc4de4fd85
SHA256

f6ed571ede58aaabbba5cd9626e080c3ffc4d713ec34a8a66f102829ac57d48b
SHA512

cd98356700bfa18553e86c2c79e8fe3648539d1484f93b99a3baac2dc45b59da5cce8068760242505cc9e578900efc52c235ab20f638356e4f5287ccce1105c0
SSDEEP

1536:bUql7mQWFQ9VxlgNEK/0nbP+Mufou9uLrx/MZLiSwGdMD19azBcdXskbM0kYatUH:sTOnxlgNzer+yu9uLrJMtiStdMDazkbJ

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\IpSet\Parameters\ServiceDLL = "%SystemRoot%\\system32\\IpSet.dll"	3ce7c9d19978942c23f7138342d92498.exe

Deletes itself 1 IoCs

pid	Process
1076	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1076	1900	3ce7c9d19978942c23f7138342d92498.exe	30
PID 1900 wrote to memory of 1076	1900	3ce7c9d19978942c23f7138342d92498.exe	30
PID 1900 wrote to memory of 1076	1900	3ce7c9d19978942c23f7138342d92498.exe	30
PID 1900 wrote to memory of 1076	1900	3ce7c9d19978942c23f7138342d92498.exe	30

C:\Users\Admin\AppData\Local\Temp\3ce7c9d19978942c23f7138342d92498.exe
"C:\Users\Admin\AppData\Local\Temp\3ce7c9d19978942c23f7138342d92498.exe"
1⤵
- Sets DLL path for service in the registry
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Deleteme.bat
  2⤵
  - Deletes itself
  PID:1076

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
1⤵
PID:1708

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
1⤵
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Deleteme.bat

Filesize
184B

MD5
ae7451c290f66bbacd5fabd408ebdadb

SHA1
9b307979cedcf6bfb50e4aa5835443f49e6ce004

SHA256
120db87a887e0bec6d517fae9c8ab813bab29863bf478d4d02c65589d587c50f

SHA512
49c2bd5f6d1781621641c9b5729dca7db565c74878ca43309d10562fb1a0938cc70f9a479c16e70c5d95054e5f5331052e26f8999b0e7e325ffef7984d7786ae

Download Submit
memory/1900-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads