Overview

overview

7

Static

static

3

59d86b1254...50.exe

windows7-x64

1

59d86b1254...50.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-01-2024 00:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59d86b1254f2413d24c7b6a2a8d32950.exe

  • Size

    20KB

  • MD5

    59d86b1254f2413d24c7b6a2a8d32950

  • SHA1

    53a6e1015f208479ffd4eb9b938e67839ea83107

  • SHA256

    8fde06d3e3e2ddef8a82cc1344963cf947611ed75eb9cb32c593c83cdc10409b

  • SHA512

    f7563b46896711bc81e063a18271c3559016cb2a32823457e824a60eee591008542f61e5ef808111127f252198d529fd83b1ceea21716d9e047e7150d26eb65a

  • SSDEEP

    384:e8bQ9KaonyhLvVEyvsQQ00R3hcvni6vQoLnmmkOLmD:NWKzyhLKEsKe3wnz49OKD

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59d86b1254f2413d24c7b6a2a8d32950.exe
    "C:\Users\Admin\AppData\Local\Temp\59d86b1254f2413d24c7b6a2a8d32950.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Windows\SysWOW64\NTdhcp.exe
      C:\Windows\system32\NTdhcp.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:4416
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\Deleteme.bat
      2⤵
        PID:660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Deleteme.bat
      Filesize

      184B

      MD5

      347dc839da9979a266bf2212f6e0e175

      SHA1

      063c1e8967face2d795db72028a25b61c37d6988

      SHA256

      0c92eddb9d50992a928263649b6bdcb125cbd18149c128f62a925d0d391d16fa

      SHA512

      07e8aaf580d7ef72f52654aa5ed875bb4b7a01c3399a8e11420e02e81feeac91fc22a2b06e92809b68f6b1faf8306919ed94b7a7fcfb38ef56ed437afc1a6021

      Download Submit

    • C:\Windows\SysWOW64\NTdhcp.exe
      Filesize

      20KB

      MD5

      59d86b1254f2413d24c7b6a2a8d32950

      SHA1

      53a6e1015f208479ffd4eb9b938e67839ea83107

      SHA256

      8fde06d3e3e2ddef8a82cc1344963cf947611ed75eb9cb32c593c83cdc10409b

      SHA512

      f7563b46896711bc81e063a18271c3559016cb2a32823457e824a60eee591008542f61e5ef808111127f252198d529fd83b1ceea21716d9e047e7150d26eb65a

      Download Submit

    • memory/1168-0-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1168-1-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1168-2-0x00000000004F0000-0x00000000004F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1168-13-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4416-8-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4416-9-0x0000000002020000-0x0000000002021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4416-12-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download