ca5b78804aa4ececa49193b13dc6aa14c575a9c6f6d44284713aed67b1451af8

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0004a4b6e5b234d335d61460a9532646.exe
Size

464KB
MD5

0004a4b6e5b234d335d61460a9532646
SHA1

5b26104165b2a7bcfd6842dde507ca22822545f8
SHA256

ca5b78804aa4ececa49193b13dc6aa14c575a9c6f6d44284713aed67b1451af8
SHA512

47903796ca84404739707d1660eae37390c10c46f078c579693ec8c9be09f98537b902b014f1d9728e0a66fc58f5913ac0292b44a7baec44df026e93bd93b325
SSDEEP

12288:wslc87eqqV5e+wBoO+zBntkJm4zeIr643jIFFC:wsSqqHeVBJuVKhzeIr64EFC

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2528	cttudiag.exe
2368	~1239.tmp
2840	taskdctr.exe

Loads dropped DLL 3 IoCs

pid	Process
2532	0004a4b6e5b234d335d61460a9532646.exe
2532	0004a4b6e5b234d335d61460a9532646.exe
2528	cttudiag.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\msfeexer = "C:\\Users\\Admin\\AppData\\Roaming\\calcdkey\\cttudiag.exe"	0004a4b6e5b234d335d61460a9532646.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\taskdctr.exe	0004a4b6e5b234d335d61460a9532646.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2528	cttudiag.exe
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	cttudiag.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2528	2532	0004a4b6e5b234d335d61460a9532646.exe	30
PID 2532 wrote to memory of 2528	2532	0004a4b6e5b234d335d61460a9532646.exe	30
PID 2532 wrote to memory of 2528	2532	0004a4b6e5b234d335d61460a9532646.exe	30
PID 2532 wrote to memory of 2528	2532	0004a4b6e5b234d335d61460a9532646.exe	30
PID 2528 wrote to memory of 2368	2528	cttudiag.exe	29
PID 2528 wrote to memory of 2368	2528	cttudiag.exe	29
PID 2528 wrote to memory of 2368	2528	cttudiag.exe	29
PID 2528 wrote to memory of 2368	2528	cttudiag.exe	29
PID 2368 wrote to memory of 1244	2368	~1239.tmp	19

C:\Users\Admin\AppData\Local\Temp\0004a4b6e5b234d335d61460a9532646.exe
"C:\Users\Admin\AppData\Local\Temp\0004a4b6e5b234d335d61460a9532646.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Roaming\calcdkey\cttudiag.exe
  "C:\Users\Admin\AppData\Roaming\calcdkey"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1244

C:\Windows\SysWOW64\taskdctr.exe
C:\Windows\SysWOW64\taskdctr.exe -s
1⤵
- Executes dropped EXE
PID:2840

C:\Users\Admin\AppData\Local\Temp\~1239.tmp
1244 475656 2528 1
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~1239.tmp

Filesize
5KB

MD5
5705593ba9737e6ce194fc90c582fc0e

SHA1
5871d9ec2b67a8436e5c85856dc496bccefd037b

SHA256
8e3c25f73e88bfb380efc77dd3974be79bc34355fe7f2ff488998fbd40a56ac2

SHA512
ba91e7172c1e63e3b49d6f27744ffdadcd63ab00486e638048cb19fcbb16ef58e1463bad5506b41d784107aebe7bea74bdff495dad7895701b233b9c71f6cabb

Download Submit
C:\Users\Admin\AppData\Roaming\calcdkey\cttudiag.exe

Filesize
1KB

MD5
575ef19cc1214d3cfec65a0443795553

SHA1
5e43778e0423a9f2b78a55e259b592887d4bb290

SHA256
20d7bd067b6cc308ee6f43017c373f02f22fe4f6cf6a49a488dd84468734bee0

SHA512
92d6dc7cf0799ec6e8eebc8b723290de7d1eac5f5e7d7fbea4447504641caa7d3ae628ef288b448b5ce119bc13cf418c5ac414dd04ab846e277f6e467b5d4053

Download Submit
C:\Users\Admin\AppData\Roaming\calcdkey\cttudiag.exe

Filesize
9KB

MD5
7f6a3adf589e3b8da1b6772364aa8c84

SHA1
569809e1dc1754c717ad2aa8f1d0d1ef62379d6c

SHA256
95de072f66318d3fad8929f69cb3640784c580065d63a67bee708e73cd5a59ce

SHA512
6aaaa2cb7c3f4c3f63670e884a31a172e195dbda714247de350478ff7d2325d4f5a35241b86c03fcde7f1458f6883c208578396dd41518d619a6aaa8559e8224

Download Submit
C:\Users\Admin\AppData\Roaming\calcdkey\cttudiag.exe

Filesize
8KB

MD5
861e52d6dcfb583afb0ad01dd5c3bf87

SHA1
1d9ce9fa1f33f85788a39d40f40e961e7c43ecfa

SHA256
c9f8ac053fca9f9b2c75a54e78513c088a0a5495a0945dc7f4a22a51ea803397

SHA512
b43aaaf0e3a7b3aca3efb94e14bcfe3a3929568ee88ae167a7126ef5bab6e39829fcc2c023d5b12d996f3c23a9ef4f282c8d09b9b602f1ea13bdaa4b34af6b40

Download Submit
\Users\Admin\AppData\Local\Temp\~1239.tmp

Filesize
8KB

MD5
86dc243576cf5c7445451af37631eea9

SHA1
99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

SHA256
25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

SHA512
c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

Download Submit
\Users\Admin\AppData\Roaming\calcdkey\cttudiag.exe

Filesize
5KB

MD5
e5fa0f04774b829ceb40c464951d025b

SHA1
c0bef3a6f7d6d2e31ff779c03cd6ffb4e41d72c6

SHA256
56d95112f770fae8b01d4a924cf554ae1009417944ca61649ef2335eeb6650f4

SHA512
574117206bb29c51182f1508d3f9045f5893ebca28a0b10e530b419ac9c791b697405fd2ece6f8e0d9d092bd625fd02ff5685a62da66192ac1a6dd3914dea31e

Download Submit
memory/1244-22-0x0000000002E50000-0x0000000002ED4000-memory.dmp

Filesize
528KB

Download
memory/1244-28-0x00000000025F0000-0x00000000025FD000-memory.dmp

Filesize
52KB

Download
memory/1244-25-0x0000000002540000-0x0000000002546000-memory.dmp

Filesize
24KB

Download
memory/1244-20-0x0000000002E50000-0x0000000002ED4000-memory.dmp

Filesize
528KB

Download
memory/1244-18-0x0000000002E50000-0x0000000002ED4000-memory.dmp

Filesize
528KB

Download
memory/2528-21-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2528-19-0x00000000001D0000-0x00000000001D5000-memory.dmp

Filesize
20KB

Download
memory/2528-17-0x0000000000480000-0x00000000004FD000-memory.dmp

Filesize
500KB

Download
memory/2532-11-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/2532-1-0x0000000000220000-0x000000000029D000-memory.dmp

Filesize
500KB

Download
memory/2532-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-30-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-33-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download