Analysis
-
max time kernel
137s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
11-01-2024 03:42
Behavioral task
behavioral1
Sample
52703a7aba899fd03c6ba1a278c1acd6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
52703a7aba899fd03c6ba1a278c1acd6.exe
Resource
win10v2004-20231222-en
General
-
Target
52703a7aba899fd03c6ba1a278c1acd6.exe
-
Size
501KB
-
MD5
52703a7aba899fd03c6ba1a278c1acd6
-
SHA1
fd89913b5fd0bb6fdb0ae536a6ef0ca0864928c4
-
SHA256
a510f5faa9e67d1388cbb557d5aa09ba1be491b95a84fd554ee3ae080c650074
-
SHA512
c2a350ac01a392f0545b2263169cad5e523d14113f336d6444a02860d2217e3099b2e7eeb6f3ffcb3114b64db6c3b6d4a9e63506a1776b3c6a29c5abb50537e2
-
SSDEEP
12288:9Ji85/v6hTjpxE0qBMun/ZyUm9Vm9wWi:6eHsPpIMu/QUMVm9wWi
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2688 52703a7aba899fd03c6ba1a278c1acd6.exe -
Executes dropped EXE 1 IoCs
pid Process 2688 52703a7aba899fd03c6ba1a278c1acd6.exe -
Loads dropped DLL 1 IoCs
pid Process 2500 52703a7aba899fd03c6ba1a278c1acd6.exe -
resource yara_rule behavioral1/memory/2500-0-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral1/memory/2500-16-0x0000000022E10000-0x000000002306C000-memory.dmp upx behavioral1/files/0x00070000000122c9-17.dat upx behavioral1/files/0x00070000000122c9-11.dat upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3060 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 52703a7aba899fd03c6ba1a278c1acd6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 52703a7aba899fd03c6ba1a278c1acd6.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405 52703a7aba899fd03c6ba1a278c1acd6.exe Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2 52703a7aba899fd03c6ba1a278c1acd6.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2500 52703a7aba899fd03c6ba1a278c1acd6.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2500 52703a7aba899fd03c6ba1a278c1acd6.exe 2688 52703a7aba899fd03c6ba1a278c1acd6.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2688 2500 52703a7aba899fd03c6ba1a278c1acd6.exe 23 PID 2500 wrote to memory of 2688 2500 52703a7aba899fd03c6ba1a278c1acd6.exe 23 PID 2500 wrote to memory of 2688 2500 52703a7aba899fd03c6ba1a278c1acd6.exe 23 PID 2500 wrote to memory of 2688 2500 52703a7aba899fd03c6ba1a278c1acd6.exe 23 PID 2688 wrote to memory of 3060 2688 52703a7aba899fd03c6ba1a278c1acd6.exe 19 PID 2688 wrote to memory of 3060 2688 52703a7aba899fd03c6ba1a278c1acd6.exe 19 PID 2688 wrote to memory of 3060 2688 52703a7aba899fd03c6ba1a278c1acd6.exe 19 PID 2688 wrote to memory of 3060 2688 52703a7aba899fd03c6ba1a278c1acd6.exe 19 PID 2688 wrote to memory of 2384 2688 52703a7aba899fd03c6ba1a278c1acd6.exe 22 PID 2688 wrote to memory of 2384 2688 52703a7aba899fd03c6ba1a278c1acd6.exe 22 PID 2688 wrote to memory of 2384 2688 52703a7aba899fd03c6ba1a278c1acd6.exe 22 PID 2688 wrote to memory of 2384 2688 52703a7aba899fd03c6ba1a278c1acd6.exe 22 PID 2384 wrote to memory of 2848 2384 cmd.exe 21 PID 2384 wrote to memory of 2848 2384 cmd.exe 21 PID 2384 wrote to memory of 2848 2384 cmd.exe 21 PID 2384 wrote to memory of 2848 2384 cmd.exe 21
Processes
-
C:\Users\Admin\AppData\Local\Temp\52703a7aba899fd03c6ba1a278c1acd6.exe"C:\Users\Admin\AppData\Local\Temp\52703a7aba899fd03c6ba1a278c1acd6.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\52703a7aba899fd03c6ba1a278c1acd6.exeC:\Users\Admin\AppData\Local\Temp\52703a7aba899fd03c6ba1a278c1acd6.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2688
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\52703a7aba899fd03c6ba1a278c1acd6.exe" /TN QxutJGth3fd4 /F1⤵
- Creates scheduled task(s)
PID:3060
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN QxutJGth3fd41⤵PID:2848
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN QxutJGth3fd4 > C:\Users\Admin\AppData\Local\Temp\1VKA7g.xml1⤵
- Suspicious use of WriteProcessMemory
PID:2384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD529a3a2c9ced8e076e469430b8c1a199a
SHA11e2c3d82c4eb290d34c185c695e8e02a0a52adfa
SHA256f7ec695522676031216da84673dcfbfda526c5247e02e4fdcee62381c335e83b
SHA5127b83096b7b1218e16043f508eeae00db5499f93ca34b4754b50a36c7bba932dea5d5d70de215b2251c99da2f1a3a9a4626e79afd1efccbb4ce0a444256326c38
-
Filesize
173KB
MD5414b1c21311cf98248c88eab5c631ccd
SHA18db109dd3bc7cbfbea7675dfa061a676ba395e57
SHA2564039ed7889878b09c229917b7e77cc0e2609c24e63f24b70d23e0ff2a6f5f9fc
SHA512577e0816e1ef59674b7527d6362991b7def54a35286886255310154a2e62b9f9d5c6b6046ccfe55d8c66d8af846c512e027c79e76af7475b0d069468a1b71ecc
-
Filesize
108KB
MD564c08bb010b76738cad9e6d7b0edef64
SHA18396507ccb41c88d7d6ae368292341c37dc44a06
SHA256d63299d2ddd8018d16a2c9a2754e970ebea4a4d1c6ecfad4dd909b2335b530a4
SHA5124cdb7258f090508b57001d9aeed2bb361293ee18429dca63b35d159b880e9e461bb51629ef1660b3f2bba453a243176a0756d997d05b9da93791b84a200098e3