Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10/01/2024, 12:41
Static task
static1
Behavioral task
behavioral1
Sample
509567746584cefbda29149448eb7dbc.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
509567746584cefbda29149448eb7dbc.exe
Resource
win10v2004-20231215-en
General
-
Target
509567746584cefbda29149448eb7dbc.exe
-
Size
5.4MB
-
MD5
509567746584cefbda29149448eb7dbc
-
SHA1
2e4bf637ba8ff53e863503c993e4e107169017e2
-
SHA256
d50705040b30b00f8a8fa6adfb56c31763e6a4d7ebd341976dab18fccc8e679e
-
SHA512
8d1591d49c7eff5e3688f7d2d8fa355e633f599be620976a6236787fd0c6315bc17277e7ed0e4066331649e7fb8f26e2cc8a291d87990757f87656ff74ec4bba
-
SSDEEP
98304:e3g2ZGsXdwFZY/HC2TK62pJjxnYezvNIqIeo5ZOsXk9gX30YEB:d9sUZ82pNGez45wsXbX30D
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2164 Runtime Broker.exe 1616 108953vg7238n0gv5.exe -
Loads dropped DLL 2 IoCs
pid Process 1972 509567746584cefbda29149448eb7dbc.exe 1972 509567746584cefbda29149448eb7dbc.exe -
resource yara_rule behavioral1/files/0x0009000000016176-13.dat vmprotect behavioral1/files/0x0009000000016176-11.dat vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1972 wrote to memory of 2164 1972 509567746584cefbda29149448eb7dbc.exe 21 PID 1972 wrote to memory of 2164 1972 509567746584cefbda29149448eb7dbc.exe 21 PID 1972 wrote to memory of 2164 1972 509567746584cefbda29149448eb7dbc.exe 21 PID 1972 wrote to memory of 2164 1972 509567746584cefbda29149448eb7dbc.exe 21 PID 1972 wrote to memory of 1616 1972 509567746584cefbda29149448eb7dbc.exe 20 PID 1972 wrote to memory of 1616 1972 509567746584cefbda29149448eb7dbc.exe 20 PID 1972 wrote to memory of 1616 1972 509567746584cefbda29149448eb7dbc.exe 20 PID 1972 wrote to memory of 1616 1972 509567746584cefbda29149448eb7dbc.exe 20 PID 2164 wrote to memory of 2052 2164 Runtime Broker.exe 19 PID 2164 wrote to memory of 2052 2164 Runtime Broker.exe 19 PID 2164 wrote to memory of 2052 2164 Runtime Broker.exe 19
Processes
-
C:\Users\Admin\AppData\Local\Temp\509567746584cefbda29149448eb7dbc.exe"C:\Users\Admin\AppData\Local\Temp\509567746584cefbda29149448eb7dbc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Roaming\108953vg7238n0gv5.exe"C:\Users\Admin\AppData\Roaming\108953vg7238n0gv5.exe"2⤵
- Executes dropped EXE
PID:1616
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2164 -s 5201⤵PID:2052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5476df6be3a41e37bac0dddb012cadef3
SHA18603cd737272f466d061ef09c34ea7b36dbb10a9
SHA256820e87a95fef884afd9e40e88a7524680407573d3cb42fe7a5d297a660fb7311
SHA51235ec22e32b1657b5f8d2bb1ed6d6c096ec12e53c26f5afca8cbff2cfaacb55bad0c1dd26fec1548040eaea0f3a6c74737901e71a2626e0d63a1b0f447058ec30
-
Filesize
894KB
MD56aa17ea54be984117cbea54db2c6b402
SHA1b33d4b732b3cd51c8c7538a500fc220cf844c9b3
SHA256e4fd7b21d374441710aba62371ed041ff975d80eac02db23266ccadd40dbff4f
SHA512237667cc8b32aab143405cf5af37009fcc594b79d9f3061e933dd3498baeb2486dc98531b0db94156e5bd84498147eee2dd6cc852b17323a1438984d9551e3ad