Overview

overview

8

Static

static

3

44c035798f...42.exe

windows7-x64

8

44c035798f...42.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    207s
  • max time network
    239s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    05-01-2024 23:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44c035798fe1a2784c9184c1e3b11442.exe

  • Size

    27KB

  • MD5

    44c035798fe1a2784c9184c1e3b11442

  • SHA1

    69ceba07244039bba2266a561497dd29f17b71fa

  • SHA256

    a72d687c5d2445e8d48d4bb99a90be69597c60f720d72eb1f9a1ea1a0b2d37b1

  • SHA512

    84150138b5bbefa9a364644e1c3c084c89fbe9311924121eb0996fe8a86d87a085fb9a567e044d57b236424400abb8f0b6e06d39580ced9e1b29ad8ceb205fee

  • SSDEEP

    768:Wf3Eo+c9xbmYi7mkoLbp6epKFbMIFaiFRyNSM3jNwq4oSWJY:Rc9bi7mAepKFbNRyNB3pprg

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44c035798fe1a2784c9184c1e3b11442.exe
    "C:\Users\Admin\AppData\Local\Temp\44c035798fe1a2784c9184c1e3b11442.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Windows\system32\wicheck080812.dll" myjkl
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\mycjjk.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:648
        • C:\Windows\SysWOW64\wicheck080812.exe
          "C:\Windows\system32\wicheck080812.exe" i
          4⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3032
          • C:\program files\internet explorer\iexplore.exe
            "C:\program files\internet explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1740
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2384
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\jkDe.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:292
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • Runs ping.exe
              PID:888
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • Runs ping.exe
              PID:1624
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\jkDe.bat" "
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1140
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8078406e3aea79f7db41183f750aac08

    SHA1

    cd8189f72c7857c0d1b0136813938aeda62a4071

    SHA256

    14b95185137a5a611cd1fcfefadc7767910e5f7b19528684505d2c1927b099c2

    SHA512

    64d7a2d8cffd16743b68af20f028e0b47e8f1c7840e2b86934b24f9a3af0432888556e5019972619f4e46923fdc63c09930c3de8d74e90fbd9bce808d13adf51

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabC7C5.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarC854.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • C:\Windows\SysWOW64\wicheck080812.dll
    Filesize

    28KB

    MD5

    edcf88d1c792c813b9ad524b7258ed7c

    SHA1

    88f3f6860a8fcf223087b3d0517c260951768d5e

    SHA256

    83b352370682eb77eab9f73401492ee66b7996c981dc3754f61ccf0c1e42c5f0

    SHA512

    71564e712ae50931ac1688570f8ae970d8cde3e9d738c6cf3fb2c8da672021e1fb60095433bb6fa1d7ee606d34570e48e71a32fe25bfc61e1178290e79e4abae

    Download Submit

  • C:\Windows\SysWOW64\wicheck080812.exe
    Filesize

    27KB

    MD5

    44c035798fe1a2784c9184c1e3b11442

    SHA1

    69ceba07244039bba2266a561497dd29f17b71fa

    SHA256

    a72d687c5d2445e8d48d4bb99a90be69597c60f720d72eb1f9a1ea1a0b2d37b1

    SHA512

    84150138b5bbefa9a364644e1c3c084c89fbe9311924121eb0996fe8a86d87a085fb9a567e044d57b236424400abb8f0b6e06d39580ced9e1b29ad8ceb205fee

    Download Submit

  • C:\Windows\checkcj.ini
    Filesize

    139B

    MD5

    dc6d9963faf582b8866b3bd625c4c51c

    SHA1

    7c77b6ab39a1a49a5eccc9323d621a301d4d7c05

    SHA256

    42d66ff7d88ddc4bddda02c9b0332be8c023095d89acd18885a8efddc9e920c7

    SHA512

    1650b473106f93b9f839d719895302af7d265f63427551310c709e6e406931721d52a09c7d0341321cfe8559c9c4bfefe6446584692d3ed24d43693a3496ec10

    Download Submit

  • C:\jkDe.bat
    Filesize

    139B

    MD5

    83ee7fe6b5c78d25c9918c279a33d32b

    SHA1

    71d46711d0ce89d499dd187fd49d9d58f4d2e351

    SHA256

    499ab8fe9e4652f2b7aa88606e59283a52a3f83db29294dc411f0cbfd5af584c

    SHA512

    b553e145f59ca32e26ccf9ceb43f6b6843d880a91b3ad72d8c0639a7166fff8b6c7983d248805c0ae48e248ee31c5a03cbc8a563ba0a8ceedf844f013835b317

    Download Submit

  • C:\jkDe.bat
    Filesize

    205B

    MD5

    173c3769d21d3319d430072ab5591583

    SHA1

    e3174e9c30cc2c542da801c6ce30f6e696c594f4

    SHA256

    01310592d7fc71ff40403ac9e8ff5539636f5c2f68ffa85f7e42d98cb1dddc66

    SHA512

    ad243aa87e7195d5360c67f98bcd5ef0eecd7a21379b2d067b1cc316b9a6fba6271dc82de0606302532e8fee017f4b227737a7a5a4c3a7d7d5109a09519e27d9

    Download Submit

  • C:\mycjjk.bat
    Filesize

    51B

    MD5

    feda1ab93471acb3bf9a39bbddf8b528

    SHA1

    c615c25fdfbe76b3a64a2579979643c9a7b0901b

    SHA256

    cc30076b5850055b4a18d0b2d526c5c95cd7552f2e45b182295e8ba3bd5c3ce2

    SHA512

    07545fd895588e0c0f3ee7e661bdb1385b0dcf92437a514aca1aaf59401af046616a5484e413124dd5045241f528fe0965c4cbac08f7b1f8f84440bf6979ed66

    Download Submit

  • memory/2984-52-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2984-31-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2984-15-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download