Overview

overview

10

Static

static

3

66694f7dcb...84.exe

windows7-x64

7

66694f7dcb...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04-01-2024 02:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66694f7dcb467cd242471f76c58bc236c458761d22bcb4682a07605e0d7bd384.exe

  • Size

    2.4MB

  • MD5

    f4e12ccaabddc9024adda74dacadb681

  • SHA1

    672e1c2b35cd863c6bcc281604893ec78f168cc5

  • SHA256

    66694f7dcb467cd242471f76c58bc236c458761d22bcb4682a07605e0d7bd384

  • SHA512

    8440b414f02769db73b07db6a5ae57f92b783a1694cd4ebae738771ffdb5656dd295a3235499e5f9401ff08584b8736bacff0848252f10b3bb55d492ac8725b9

  • SSDEEP

    49152:xLuYoz262V1lcg/2aRdbDwvDoo/LaKsc8hwwefPmynPnWiy2wf:Uz+blcg/2+dsjPq3g3P/y2s

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66694f7dcb467cd242471f76c58bc236c458761d22bcb4682a07605e0d7bd384.exe
    "C:\Users\Admin\AppData\Local\Temp\66694f7dcb467cd242471f76c58bc236c458761d22bcb4682a07605e0d7bd384.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cp9iY02.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cp9iY02.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2032
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
    1⤵
      PID:2832
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2832 CREDAT:275457 /prefetch:2
        2⤵
          PID:2572
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:275457 /prefetch:2
        1⤵
          PID:2540
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          1⤵
            PID:1736
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1272 CREDAT:275457 /prefetch:2
            1⤵
              PID:2580
            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5VV5Ym9.exe
              C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5VV5Ym9.exe
              1⤵
                PID:2544
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
                  2⤵
                    PID:1912
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
                    2⤵
                      PID:540
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 2420
                      2⤵
                      • Program crash
                      PID:1492
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
                    1⤵
                      PID:2496
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe" https://facebook.com/login
                      1⤵
                        PID:1272
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
                        1⤵
                        • Creates scheduled task(s)
                        PID:1688
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
                        1⤵
                        • Creates scheduled task(s)
                        PID:1104
                      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2so0154.exe
                        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2so0154.exe
                        1⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:2180

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Cp9iY02.exe
                        Filesize

                        92KB

                        MD5

                        5e95b58cc97ca26faa34eb7bf2f7e906

                        SHA1

                        bba3b4474c17d32c0ab6a9faf3882f4dd5bf477c

                        SHA256

                        494baa346b3b3c2f3948951f147d5511141d1245bf2b7a17a49144fec5724767

                        SHA512

                        43bb0854fe6a7ff6ea88f280e760ba55c9a648b938c993b67f59be8cac4a709ed4d0b2b6f8f8e2de041dc59c7342b5edcef84113733566f64051ea3b10897b28

                        Download Submit

                      • memory/1736-43-0x000000006D360000-0x000000006D90B000-memory.dmp

                        Filesize

                        5.7MB

                        Download

                      • memory/1736-42-0x0000000000440000-0x0000000000480000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/1736-35-0x000000006D360000-0x000000006D90B000-memory.dmp

                        Filesize

                        5.7MB

                        Download

                      • memory/2032-572-0x0000000002980000-0x0000000002DDE000-memory.dmp

                        Filesize

                        4.4MB

                        Download

                      • memory/2032-25-0x0000000002980000-0x0000000002DDE000-memory.dmp

                        Filesize

                        4.4MB

                        Download

                      • memory/2544-61-0x0000000000630000-0x0000000000640000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2544-27-0x0000000001650000-0x0000000001AAE000-memory.dmp

                        Filesize

                        4.4MB

                        Download

                      • memory/2544-32-0x00000000011F0000-0x000000000164E000-memory.dmp

                        Filesize

                        4.4MB

                        Download

                      • memory/2544-360-0x00000000011F0000-0x000000000164E000-memory.dmp

                        Filesize

                        4.4MB

                        Download

                      • memory/2544-29-0x00000000011F0000-0x000000000164E000-memory.dmp

                        Filesize

                        4.4MB

                        Download

                      • memory/2544-753-0x0000000001650000-0x0000000001AAE000-memory.dmp

                        Filesize

                        4.4MB

                        Download

                      • memory/2544-764-0x00000000011F0000-0x000000000164E000-memory.dmp

                        Filesize

                        4.4MB

                        Download

                      • memory/2544-774-0x00000000011F0000-0x000000000164E000-memory.dmp

                        Filesize

                        4.4MB

                        Download

                      • memory/2544-1017-0x00000000011F0000-0x000000000164E000-memory.dmp

                        Filesize

                        4.4MB

                        Download