Analysis
-
max time kernel
104s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13/01/2024, 01:27
Static task
static1
Behavioral task
behavioral1
Sample
bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe
Resource
win10v2004-20231215-en
General
-
Target
bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe
-
Size
238KB
-
MD5
4e28b8c8cc2666b35c7a3c2ca03946e1
-
SHA1
784e1beca241a4cac7ad270e549c28da2f5f7e07
-
SHA256
bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb
-
SHA512
5c8a938ef1b11bd3b016bb4f63d8b154b6de6f8947b90f520474257ff3bb583a7a13dbb0f83f90ea101bb5fa88febc18b28bffa3133d3f5b76ec656702834954
-
SSDEEP
6144:1/mi5BPc1M3xwunB4qELod1EREYuPdX6/V:1JxwunB4qEU3fYzN
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2836 pro.exe 828 KK.exe -
Loads dropped DLL 2 IoCs
pid Process 2392 bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe 828 KK.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1964 tasklist.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 828 KK.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2836 pro.exe 2836 pro.exe 2836 pro.exe 2836 pro.exe 2836 pro.exe 2836 pro.exe 2836 pro.exe 2836 pro.exe 828 KK.exe 828 KK.exe 828 KK.exe 828 KK.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1964 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 828 KK.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2836 2392 bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe 28 PID 2392 wrote to memory of 2836 2392 bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe 28 PID 2392 wrote to memory of 2836 2392 bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe 28 PID 2392 wrote to memory of 2836 2392 bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe 28 PID 2836 wrote to memory of 2792 2836 pro.exe 33 PID 2836 wrote to memory of 2792 2836 pro.exe 33 PID 2836 wrote to memory of 2792 2836 pro.exe 33 PID 2836 wrote to memory of 2792 2836 pro.exe 33 PID 2792 wrote to memory of 1964 2792 cmd.exe 35 PID 2792 wrote to memory of 1964 2792 cmd.exe 35 PID 2792 wrote to memory of 1964 2792 cmd.exe 35 PID 2792 wrote to memory of 1964 2792 cmd.exe 35 PID 2792 wrote to memory of 2008 2792 cmd.exe 36 PID 2792 wrote to memory of 2008 2792 cmd.exe 36 PID 2792 wrote to memory of 2008 2792 cmd.exe 36 PID 2792 wrote to memory of 2008 2792 cmd.exe 36 PID 780 wrote to memory of 828 780 cmd.exe 39 PID 780 wrote to memory of 828 780 cmd.exe 39 PID 780 wrote to memory of 828 780 cmd.exe 39 PID 780 wrote to memory of 828 780 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe"C:\Users\Admin\AppData\Local\Temp\bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Public\pro.exe"C:\Users\Public\pro.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist | findstr /i 360tray.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i 360tray.exe4⤵PID:2008
-
-
-
-
C:\Windows\system32\cmd.execmd /c C:\Users\Public\KK.exe1⤵
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Public\KK.exeC:\Users\Public\KK.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD550c6b88e240b0ee97b5b6f5c00b6a081
SHA14bf7332e5dc487eb5cd859ddcb3650231389c922
SHA256dc5a3ad83d9fd74901a3b129d62d8d97a1eef4842f4dff1d05e5039c79e101a0
SHA5120eae33e7ca55c97e613b656f23f9f68fbe67d82070721bf86716df72aa557fcadc72adebbcfb5456cec81fbcc37b959a9042d8681f391927c5258023ab1c7740
-
Filesize
238KB
MD54e28b8c8cc2666b35c7a3c2ca03946e1
SHA1784e1beca241a4cac7ad270e549c28da2f5f7e07
SHA256bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb
SHA5125c8a938ef1b11bd3b016bb4f63d8b154b6de6f8947b90f520474257ff3bb583a7a13dbb0f83f90ea101bb5fa88febc18b28bffa3133d3f5b76ec656702834954
-
Filesize
1.2MB
MD5f0e18dab16cc67f81ec762abb9a63585
SHA122f44703a214033d9f267ae4983963112cd93fad
SHA256b1eb520ff83d6403e04fb8ddb253e76c10b800af49629d8974d44b330d377da6
SHA512d68f3296f76c0db285cf627078cac898e9ddf31266e45dc4aad55c2e91c21eca99cbee1337d7dc98a6308d79fb986391930dbc1f93ead48a9a9e16a356d4165c