Analysis
-
max time kernel
1s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a44a78759af5b0c48feca4412b21d018.exe
Resource
win7-20231215-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a44a78759af5b0c48feca4412b21d018.exe
Resource
win10v2004-20231222-en
8 signatures
150 seconds
General
-
Target
a44a78759af5b0c48feca4412b21d018.exe
-
Size
68KB
-
MD5
a44a78759af5b0c48feca4412b21d018
-
SHA1
9e0746c6658658e3a9b5b1128d313dd7214fef2a
-
SHA256
bdd04fcdbac5e8df6aca7e74040103317ff268a11193f94b1be7fd9c87622d60
-
SHA512
9188be7e531d18497761f7d72d37c9c95c2a560557ba0b4c211a06c2df770be7d9a04a79e0ea11de5ce4ed5dfc3aa32b1a1c92e201996e94e621415be74833e4
-
SSDEEP
768:wcEliTdmYAl+qOQSgFrhKo//WomvdfQXwYt1IEDIefZsK:/EIxXAcqOK3qowgnt1d
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a44a78759af5b0c48feca4412b21d018.exe -
Executes dropped EXE 1 IoCs
pid Process 2208 Admin.exe -
Loads dropped DLL 2 IoCs
pid Process 2456 a44a78759af5b0c48feca4412b21d018.exe 2456 a44a78759af5b0c48feca4412b21d018.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" a44a78759af5b0c48feca4412b21d018.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2456 a44a78759af5b0c48feca4412b21d018.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2456 a44a78759af5b0c48feca4412b21d018.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2208 2456 a44a78759af5b0c48feca4412b21d018.exe 28 PID 2456 wrote to memory of 2208 2456 a44a78759af5b0c48feca4412b21d018.exe 28 PID 2456 wrote to memory of 2208 2456 a44a78759af5b0c48feca4412b21d018.exe 28 PID 2456 wrote to memory of 2208 2456 a44a78759af5b0c48feca4412b21d018.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe"C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\Admin.exe"C:\Users\Admin\Admin.exe"2⤵
- Executes dropped EXE
PID:2208
-