Analysis
-
max time kernel
2s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
05/01/2024, 14:14
Static task
static1
Behavioral task
behavioral1
Sample
43e4f5a31ff7c90f59f4ac9b4d2eecf5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
43e4f5a31ff7c90f59f4ac9b4d2eecf5.exe
Resource
win10v2004-20231215-en
General
-
Target
43e4f5a31ff7c90f59f4ac9b4d2eecf5.exe
-
Size
51KB
-
MD5
43e4f5a31ff7c90f59f4ac9b4d2eecf5
-
SHA1
e59c6084c537ebec193ff3f19c0f906e09a71fcf
-
SHA256
ff77d1b39f87bfa525c67f780c77b516a3ab05f3f794aaedfdfbe118044d3675
-
SHA512
68bec7e25a1a4388494a9636935b0051e8466302e7ccefa399692ec69aa73d9405c6b128d5b6cd5431dec2c56c809d78a54f73e57af4f0051d65c64522384554
-
SSDEEP
768:hogJkE3jZoiBd5Byynjb3xMJEU0xSOumt28ZDWVx6c:hogJkE3egd28/qyUnOo8ZiV0c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2136 lsass.exe -
Loads dropped DLL 2 IoCs
pid Process 2668 43e4f5a31ff7c90f59f4ac9b4d2eecf5.exe 2668 43e4f5a31ff7c90f59f4ac9b4d2eecf5.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: lsass.exe File opened (read-only) \??\F: lsass.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf lsass.exe File opened for modification C:\autorun.inf lsass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2668 43e4f5a31ff7c90f59f4ac9b4d2eecf5.exe 2668 43e4f5a31ff7c90f59f4ac9b4d2eecf5.exe 2136 lsass.exe 2136 lsass.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2136 2668 43e4f5a31ff7c90f59f4ac9b4d2eecf5.exe 28 PID 2668 wrote to memory of 2136 2668 43e4f5a31ff7c90f59f4ac9b4d2eecf5.exe 28 PID 2668 wrote to memory of 2136 2668 43e4f5a31ff7c90f59f4ac9b4d2eecf5.exe 28 PID 2668 wrote to memory of 2136 2668 43e4f5a31ff7c90f59f4ac9b4d2eecf5.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\43e4f5a31ff7c90f59f4ac9b4d2eecf5.exe"C:\Users\Admin\AppData\Local\Temp\43e4f5a31ff7c90f59f4ac9b4d2eecf5.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\lsass.exe"C:\Users\Admin\lsass.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
PID:2136
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD520844e796a560c0bf47b42f9883f0fe6
SHA1fd284805a52562a5fb871907ce788130bdf08a5f
SHA256ca8a5f91b000a823fb8441f598c55486ef74b879d2c5e2d02dcda4d103f84c9c
SHA512519fcf07d1b9bc4220dac546c0e2576d1048c4acd84d0708de686f29f482254232ef067fae6d00b3a83e71633c119133029630a31d67dca923c3adfa93055210
-
Filesize
40KB
MD5dc3d62322aed05e152311a904e219153
SHA1980eda1a5d730fe351bb7fbcb545a42ea6317481
SHA25687354250007b705ccb78552d945ad2e05e9823d3ddf2c39483f7c8dc1ad29d62
SHA512a1def6a8b85da93f84444daa18aa85f3aa4690c4d2c95e30043ad272aa4d5b0e17ba007ebdda82a9dd0008176562f72178bf53c0d9200e113eede6fff18015b7
-
Filesize
32KB
MD5fa4c062f366aef5b65ce2621e4ad2996
SHA1be9d802805c9c7fd5e1d886c06bb8367c8010e8b
SHA256400f81432341520f1847bb9c574da4c4df55bf5d4d77905919ed0b3ea7108f03
SHA512b0c66137b5fefbc06c8e24cdd17f8640ec746bbb92b06bcaa793cfe60b0443d30ee65f3964bc04d16467a97a7363f9041e033ab521e0351deec85c5accfa7220
-
Filesize
51KB
MD543e4f5a31ff7c90f59f4ac9b4d2eecf5
SHA1e59c6084c537ebec193ff3f19c0f906e09a71fcf
SHA256ff77d1b39f87bfa525c67f780c77b516a3ab05f3f794aaedfdfbe118044d3675
SHA51268bec7e25a1a4388494a9636935b0051e8466302e7ccefa399692ec69aa73d9405c6b128d5b6cd5431dec2c56c809d78a54f73e57af4f0051d65c64522384554
-
Filesize
19KB
MD5fa8f2e5474b8d59588554c290aee9deb
SHA1bf9b309d5d5e76f86b10f25b71078eb65ebdacd9
SHA2567a29ec4f5abd636d679e37adcb216e1ac3d3c0dd168e2be5c58e2471bfe16659
SHA512c8240b64d9d7208d47c45d54d8e863be9b0680e6045f5278a4046fce4a3b3942c17b7dfe3a2df492e95ac32676562df3c58b5c1246fc95bae15477097a878153