987e2c00b1236d23b9fdb22a4b209f283897e5d7d741db0d46650f2bc4dd7e2d

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53d7e8008e5dcf8b2913c0ebeb545565.exe
Size

28KB
MD5

53d7e8008e5dcf8b2913c0ebeb545565
SHA1

d1128fc8fea68b7b4aabfa61c084a0c7855a68e8
SHA256

987e2c00b1236d23b9fdb22a4b209f283897e5d7d741db0d46650f2bc4dd7e2d
SHA512

bc9f684d3d526906937936854032ea2dc97dbe29f4f0e85622a4f75fa3e875ece16d7401db33b6dca7bc26f9040c01a52691bd7a96866f0f22716d6651346a8a
SSDEEP

768:WJh24sXfriXQJwG6IVupYb6wm53scyYPsdU8X:WJh24wfrvJ5qE257yFX

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2752	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\RealUpdate = "C:\\Program Files (x86)\\Common Files\\update\\svchost.exe"	53d7e8008e5dcf8b2913c0ebeb545565.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_deleteme.bat	53d7e8008e5dcf8b2913c0ebeb545565.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\update\svchost.exe	53d7e8008e5dcf8b2913c0ebeb545565.exe
File opened for modification	C:\Program Files (x86)\Common Files\update\svchost.exe	53d7e8008e5dcf8b2913c0ebeb545565.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 356 wrote to memory of 2752	356	53d7e8008e5dcf8b2913c0ebeb545565.exe	29
PID 356 wrote to memory of 2752	356	53d7e8008e5dcf8b2913c0ebeb545565.exe	29
PID 356 wrote to memory of 2752	356	53d7e8008e5dcf8b2913c0ebeb545565.exe	29
PID 356 wrote to memory of 2752	356	53d7e8008e5dcf8b2913c0ebeb545565.exe	29

C:\Users\Admin\AppData\Local\Temp\53d7e8008e5dcf8b2913c0ebeb545565.exe
"C:\Users\Admin\AppData\Local\Temp\53d7e8008e5dcf8b2913c0ebeb545565.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\_deleteme.bat
  2⤵
  - Deletes itself
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\_deleteme.bat

Filesize
196B

MD5
1bb61b5b533bc396f1495de872a8423b

SHA1
f89b507887a6100e68dd438120f463ea853e8d18

SHA256
3eb84894bea89ff2a6576df9ddbd6fc41b687822ae936aee4650cfea19954f0f

SHA512
942a36d2900ff42b7fff21770597e0cd659b016c60a3208fbc469aeb632eedc13c44e50933c8197282d1f3fa10e073859608e68af846d0c61f7e60065c6a644e

Download Submit
memory/356-1-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/356-0-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/356-10-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads