Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08-01-2024 21:19
Behavioral task
behavioral1
Sample
4c7ae700358aad423ddc5196d3c03618.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4c7ae700358aad423ddc5196d3c03618.exe
Resource
win10v2004-20231222-en
General
-
Target
4c7ae700358aad423ddc5196d3c03618.exe
-
Size
186KB
-
MD5
4c7ae700358aad423ddc5196d3c03618
-
SHA1
934950ec62a96deff378825ec51b4455dea45c60
-
SHA256
04fea0668ffa1613be5f052755c88fbbe72ea47ddcc0d808771939c38a9e8f9a
-
SHA512
446a8e25ab6ba05c0e6c50719b620f8d8cc7d18d06f874a6b9aba73d1250022207842671e5d91f9653c06d79c82704a411748c40d72fb5b210784f58c00b0500
-
SSDEEP
3072:vXsEMh4Qi7+x8a4f58GgyQl3RGzD6uiushKnsQjY4PwUsOUIgESo6OJ4:vXsEHQiI8acMlAsuY0OUhzSoY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1984 ins3961.exe -
Loads dropped DLL 4 IoCs
pid Process 2032 4c7ae700358aad423ddc5196d3c03618.exe 2032 4c7ae700358aad423ddc5196d3c03618.exe 2032 4c7ae700358aad423ddc5196d3c03618.exe 2032 4c7ae700358aad423ddc5196d3c03618.exe -
resource yara_rule behavioral1/memory/2032-0-0x0000000000A90000-0x0000000000B09000-memory.dmp upx behavioral1/memory/2032-22-0x0000000000A90000-0x0000000000B09000-memory.dmp upx behavioral1/memory/2032-27-0x0000000000A90000-0x0000000000B09000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1984 ins3961.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1984 ins3961.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1984 ins3961.exe 1984 ins3961.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1984 2032 4c7ae700358aad423ddc5196d3c03618.exe 28 PID 2032 wrote to memory of 1984 2032 4c7ae700358aad423ddc5196d3c03618.exe 28 PID 2032 wrote to memory of 1984 2032 4c7ae700358aad423ddc5196d3c03618.exe 28 PID 2032 wrote to memory of 1984 2032 4c7ae700358aad423ddc5196d3c03618.exe 28 PID 2032 wrote to memory of 1984 2032 4c7ae700358aad423ddc5196d3c03618.exe 28 PID 2032 wrote to memory of 1984 2032 4c7ae700358aad423ddc5196d3c03618.exe 28 PID 2032 wrote to memory of 1984 2032 4c7ae700358aad423ddc5196d3c03618.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c7ae700358aad423ddc5196d3c03618.exe"C:\Users\Admin\AppData\Local\Temp\4c7ae700358aad423ddc5196d3c03618.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\n3961\ins3961.exe"C:\Users\Admin\AppData\Local\Temp\n3961\ins3961.exe" ins.exe /e11736288 /u50d1d9d5-cf90-407c-820a-35e05bc06f2f2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD55653950415888177a9cbb4c7fb8e223e
SHA1a523b9aacb99da11feebda1bf1b27687f839977b
SHA256d2606331b86cb80d05a59ed1055983cf38bc17f3e5bf01543c40decfc67acf45
SHA5126deeac7c1e39d328f6b43c582343cc2026934f36b75287811e677405d74d1f2b524a14de05688172f30a10449238d4a5e6ac96e21c1d341a3fb59cb626b04d96