Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2024 07:12
Static task
static1
Behavioral task
behavioral1
Sample
52dfd3a9f74ff32963538295fcecd780.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
52dfd3a9f74ff32963538295fcecd780.exe
Resource
win10v2004-20231222-en
General
-
Target
52dfd3a9f74ff32963538295fcecd780.exe
-
Size
1.8MB
-
MD5
52dfd3a9f74ff32963538295fcecd780
-
SHA1
0f990ce98d458f4b57d9ad23fb30045b1a0120c5
-
SHA256
d95bfe5461ae5ac68688d2cb11c8b74ff827441c3efa326e33ea439247507df8
-
SHA512
4384ad2832d44c6fb665c482cc91a44cbb7287c4f750d9df46bbb6b48cf6ba5f4eaef079048cbc1288f4218797529430d550b498752d41637dbd62e70221e292
-
SSDEEP
49152:B0e6ZrIhl8UnrSU1ipSMcV9cRlyqZ2RqWeq8DFOaaM9tBa:W1VIhP30pS3RqWv8DxJ9na
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4812 360O0K.exe 3368 360O0K.exe -
Loads dropped DLL 2 IoCs
pid Process 2468 52dfd3a9f74ff32963538295fcecd780.exe 4812 360O0K.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\360O0K.exe 52dfd3a9f74ff32963538295fcecd780.exe File created C:\Windows\SysWOW64\360O0K.exe 360O0K.exe File created C:\Windows\SysWOW64\Deleteme.bat 360O0K.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat 52dfd3a9f74ff32963538295fcecd780.exe File created C:\Windows\SysWOW64\360O0K.exe 52dfd3a9f74ff32963538295fcecd780.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
pid Process 2468 52dfd3a9f74ff32963538295fcecd780.exe 2468 52dfd3a9f74ff32963538295fcecd780.exe 2468 52dfd3a9f74ff32963538295fcecd780.exe 2468 52dfd3a9f74ff32963538295fcecd780.exe 2468 52dfd3a9f74ff32963538295fcecd780.exe 4812 360O0K.exe 4812 360O0K.exe 4812 360O0K.exe 2468 52dfd3a9f74ff32963538295fcecd780.exe 2468 52dfd3a9f74ff32963538295fcecd780.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2256 2468 52dfd3a9f74ff32963538295fcecd780.exe 95 PID 2468 wrote to memory of 2256 2468 52dfd3a9f74ff32963538295fcecd780.exe 95 PID 2468 wrote to memory of 2256 2468 52dfd3a9f74ff32963538295fcecd780.exe 95 PID 4812 wrote to memory of 3368 4812 360O0K.exe 99 PID 4812 wrote to memory of 3368 4812 360O0K.exe 99 PID 4812 wrote to memory of 3368 4812 360O0K.exe 99 PID 4812 wrote to memory of 4952 4812 360O0K.exe 102 PID 4812 wrote to memory of 4952 4812 360O0K.exe 102 PID 4812 wrote to memory of 4952 4812 360O0K.exe 102 PID 2468 wrote to memory of 2696 2468 52dfd3a9f74ff32963538295fcecd780.exe 105 PID 2468 wrote to memory of 2696 2468 52dfd3a9f74ff32963538295fcecd780.exe 105 PID 2468 wrote to memory of 2696 2468 52dfd3a9f74ff32963538295fcecd780.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\52dfd3a9f74ff32963538295fcecd780.exe"C:\Users\Admin\AppData\Local\Temp\52dfd3a9f74ff32963538295fcecd780.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\52dfd3a9f74ff32963538295fcecd780.exe"C:\Users\Admin\AppData\Local\Temp\52dfd3a9f74ff32963538295fcecd780.exe"2⤵PID:2256
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat2⤵PID:2696
-
-
C:\Windows\SysWOW64\360O0K.exeC:\Windows\SysWOW64\360O0K.exe -NetSata1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\360O0K.exe"C:\Windows\SysWOW64\360O0K.exe"2⤵
- Executes dropped EXE
PID:3368
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat2⤵PID:4952
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024B
MD512871388b682b159ddd85545302a289d
SHA176b47377da188fcfddeefa0f940287f1cce9885d
SHA256cc033f00e96cae1829e3a5c15150fe68a62f65440f1b158d9257370fbc488a9b
SHA512d60953b62d08e52fa2860db257e2bdbaa97e7eff7007617857f7b30a76f7c7ba81f8444d313a6ad496adbbaede5af1661e72522046789bb9aee1340f7ac12c7d