Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08/01/2024, 03:40
Static task
static1
Behavioral task
behavioral1
Sample
4a575119119b826fd764c1f85bedc66d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4a575119119b826fd764c1f85bedc66d.exe
Resource
win10v2004-20231215-en
General
-
Target
4a575119119b826fd764c1f85bedc66d.exe
-
Size
44KB
-
MD5
4a575119119b826fd764c1f85bedc66d
-
SHA1
f4ec3684eacd65a7cc88710625ad4d18d01cf9ca
-
SHA256
b7c89d5e1f54723b87d130e27993aa7ea706130548f1044c2efd96160d9a12fa
-
SHA512
ffccfa845efd181f6fdb53c2fbfffeb4d1276346ec9b91aed3de86bef9568957721ef502061fba7750f4d3ed72f70bf954714c10ff9f1ce1a9c53f19a1e6ee43
-
SSDEEP
768:Bo1wBS/iAPx9my5ztoWp893vb53XvoDKTz:Bo1wB2iAPxiWp89FPo6z
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1740 MROWYEKDC.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SVCHOST = "C:\\Windows\\mrowyekdc.exe" MROWYEKDC.EXE -
Drops file in Windows directory 15 IoCs
description ioc Process File created C:\Windows\User Files\Counterstrike hacks.exe MROWYEKDC.EXE File opened for modification C:\WINDOWS\MROWYEKDC.EXE 4a575119119b826fd764c1f85bedc66d.exe File created C:\Windows\User Files\Diablo 2 no-cd hack.exe MROWYEKDC.EXE File created C:\Windows\User Files\Warcraft 3 stat hack.exe MROWYEKDC.EXE File opened for modification C:\Windows\User Files\Starcraft + Broodwar 1.10 map hack.exe MROWYEKDC.EXE File created C:\Windows\User Files\Warcraft 3 map hack.exe MROWYEKDC.EXE File created C:\Windows\User Files\Warcraft 3 no-cd hack.exe MROWYEKDC.EXE File created C:\Windows\User Files\Warcraft 3 Frozen Throne map hack.exe MROWYEKDC.EXE File created C:\Windows\User Files\Warcraft 3 Frozen Throne cd-cd hack.exe MROWYEKDC.EXE File created C:\Windows\User Files\Starcraft + Broodwar 1.10 no-cd hack.exeDiablo 2 map hack.exe MROWYEKDC.EXE File created C:\Windows\User Files\Jamella's Diablo 2 hero editor.exe MROWYEKDC.EXE File created C:\Windows\User Files\The Frozen Throne map hack.exe MROWYEKDC.EXE File created C:\Windows\User Files\Counterstrike aim hack.exe MROWYEKDC.EXE File created C:\WINDOWS\MROWYEKDC.EXE 4a575119119b826fd764c1f85bedc66d.exe File created C:\Windows\User Files\Starcraft + Broodwar 1.10 map hack.exe MROWYEKDC.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2052 wrote to memory of 1740 2052 4a575119119b826fd764c1f85bedc66d.exe 28 PID 2052 wrote to memory of 1740 2052 4a575119119b826fd764c1f85bedc66d.exe 28 PID 2052 wrote to memory of 1740 2052 4a575119119b826fd764c1f85bedc66d.exe 28 PID 2052 wrote to memory of 1740 2052 4a575119119b826fd764c1f85bedc66d.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a575119119b826fd764c1f85bedc66d.exe"C:\Users\Admin\AppData\Local\Temp\4a575119119b826fd764c1f85bedc66d.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\WINDOWS\MROWYEKDC.EXEC:\WINDOWS\MROWYEKDC.EXE2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:1740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD54a575119119b826fd764c1f85bedc66d
SHA1f4ec3684eacd65a7cc88710625ad4d18d01cf9ca
SHA256b7c89d5e1f54723b87d130e27993aa7ea706130548f1044c2efd96160d9a12fa
SHA512ffccfa845efd181f6fdb53c2fbfffeb4d1276346ec9b91aed3de86bef9568957721ef502061fba7750f4d3ed72f70bf954714c10ff9f1ce1a9c53f19a1e6ee43