Analysis
-
max time kernel
106s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
06/01/2024, 02:10
General
-
Target
41faad402aa16a136d8b8f1364d7e9c3.exe
-
Size
54KB
-
MD5
41faad402aa16a136d8b8f1364d7e9c3
-
SHA1
608dfd83ab573cf15f5ab50fac3bf86eb5e084e4
-
SHA256
61d43a11f8831bdcfabc1dfaa8685a3ae4ddf3b512c27c15e9d65dcb2aa897fa
-
SHA512
6fceb1d632ef7cba69091f658d62ca9e7cfca15a05790f257b1d7b7e9f82b9e8860f6c12e6332425ec520fab95a8e91ec411dd21d086ab3b56720e78cf81ba98
-
SSDEEP
768:hJSrYIiWg9NDz4WnFihPzV2qzj2eWrW/Jm4Xtfa7a3xu9ulHHrnKFBAnPWcCB29o:h49bWcjSDrOUCtSwnrnuAn6B6o
Score
8/10
Malware Config
Signatures
-
Disables RegEdit via registry modification 5 IoCs
-
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 5 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 10 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Drops file in System32 directory 12 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\41faad402aa16a136d8b8f1364d7e9c3.exe"C:\Users\Admin\AppData\Local\Temp\41faad402aa16a136d8b8f1364d7e9c3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\41faad402aa16a136d8b8f1364d7e9c3.exe"C:\Users\Admin\AppData\Local\Temp\41faad402aa16a136d8b8f1364d7e9c3.exe"2⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\system32\symdebugs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\SysWOW64\symdebugs.exe"4⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMDEB~1.EXE > nul5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip5⤵
-
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\system32\symdebugs.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\41FAAD~1.EXE > nul3⤵
- Deletes itself
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"3⤵
-
-
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\SysWOW64\symdebugs.exe"1⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\system32\symdebugs.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\SysWOW64\symdebugs.exe"3⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\system32\symdebugs.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\SysWOW64\symdebugs.exe"5⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\system32\symdebugs.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\SysWOW64\symdebugs.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\system32\symdebugs.exe"8⤵
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\SysWOW64\symdebugs.exe"9⤵
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\system32\symdebugs.exe"10⤵
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\SysWOW64\symdebugs.exe"11⤵
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\system32\symdebugs.exe"12⤵
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\SysWOW64\symdebugs.exe"13⤵
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\system32\symdebugs.exe"14⤵
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\SysWOW64\symdebugs.exe"15⤵
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\system32\symdebugs.exe"16⤵
-
C:\Windows\SysWOW64\symdebugs.exe"C:\Windows\SysWOW64\symdebugs.exe"17⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip16⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com16⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"16⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"16⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMDEB~1.EXE > nul16⤵
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip14⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMDEB~1.EXE > nul14⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"14⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"14⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com14⤵
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com12⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMDEB~1.EXE > nul12⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"12⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"12⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip12⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMDEB~1.EXE > nul10⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"10⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"10⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com10⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip10⤵
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com8⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"8⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"8⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip8⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMDEB~1.EXE > nul8⤵
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip6⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com6⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"6⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"6⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMDEB~1.EXE > nul6⤵
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"4⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMDEB~1.EXE > nul4⤵
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYMDEB~1.EXE > nul2⤵
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "606632266722820891055956263-92097955264042216417688723511920544821-994134105"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5187a9b6cc39d35b9e04cba9ffbae519f
SHA109f18be24d22828c5b57beac4f3f8073bcf28c4a
SHA256c542613e38a4670bb119e798664eb5c07ca6dd5541a5fc23f8bb70e04ea19f85
SHA512b1b07e4e55fca6be43b9e11e9692d0c7aca934a14e76325a76380a8660adff635ffdb822b651f60d80cfc1b504ebca937609dba33c25c3d4824712c59a651229
-
Filesize
4KB
MD5fa9befaa7989dccec5c619d71d972485
SHA16b486e98f6476ef6d2d35305d4f3877719d888e0
SHA25699fb6e68f43538b21221560e3c179ef99586b7bba82d10b4272f0d1203346eeb
SHA512c053448ffc704b34eb8458c38680348819d445c3704e412d2d982969fc8560c2217eb4eef6d3f58441080bb67dda4835d6ab68b1f10426d948d32af37f2f620c
-
Filesize
54KB
MD541faad402aa16a136d8b8f1364d7e9c3
SHA1608dfd83ab573cf15f5ab50fac3bf86eb5e084e4
SHA25661d43a11f8831bdcfabc1dfaa8685a3ae4ddf3b512c27c15e9d65dcb2aa897fa
SHA5126fceb1d632ef7cba69091f658d62ca9e7cfca15a05790f257b1d7b7e9f82b9e8860f6c12e6332425ec520fab95a8e91ec411dd21d086ab3b56720e78cf81ba98
-
Filesize
84KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
84KB
-
Filesize
84KB