5d2d957299e0b7b24198393dfb954fd03822dcf46874abcc5054d971ab446b81

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 02:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7127440e9d76292b88e36df44ed5479b.exe
Size

68KB
MD5

7127440e9d76292b88e36df44ed5479b
SHA1

ab3b0b9ec6530e9dbdc1d70fd3c7572954a47046
SHA256

5d2d957299e0b7b24198393dfb954fd03822dcf46874abcc5054d971ab446b81
SHA512

e23c5dbd21baf496143003f11a6976a16b5f16f9f92ce7e45abcacaa4ce5db3a2ccfffe39ac13e1d7eed828dd10ce3692e552f9f28a4e85db36b91c5340b98b2
SSDEEP

1536:KpgpHzb9dZVX9fHMvG0D3XJbC4b6B08HnSIdBky7xwrc+HpQQ:IgXdZt9P6D3XJbC4mB0QHj7xwrc2pQQ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2552	rundll32.exe
6	2552	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
2552	rundll32.exe
2552	rundll32.exe
2552	rundll32.exe
2552	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2616	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2552	rundll32.exe
2552	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2552	1704	7127440e9d76292b88e36df44ed5479b.exe	28
PID 1704 wrote to memory of 2552	1704	7127440e9d76292b88e36df44ed5479b.exe	28
PID 1704 wrote to memory of 2552	1704	7127440e9d76292b88e36df44ed5479b.exe	28
PID 1704 wrote to memory of 2552	1704	7127440e9d76292b88e36df44ed5479b.exe	28
PID 1704 wrote to memory of 2552	1704	7127440e9d76292b88e36df44ed5479b.exe	28
PID 1704 wrote to memory of 2552	1704	7127440e9d76292b88e36df44ed5479b.exe	28
PID 1704 wrote to memory of 2552	1704	7127440e9d76292b88e36df44ed5479b.exe	28
PID 2552 wrote to memory of 2652	2552	rundll32.exe	31
PID 2552 wrote to memory of 2652	2552	rundll32.exe	31
PID 2552 wrote to memory of 2652	2552	rundll32.exe	31
PID 2552 wrote to memory of 2652	2552	rundll32.exe	31
PID 2652 wrote to memory of 2616	2652	cmd.exe	33
PID 2652 wrote to memory of 2616	2652	cmd.exe	33
PID 2652 wrote to memory of 2616	2652	cmd.exe	33
PID 2652 wrote to memory of 2616	2652	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\7127440e9d76292b88e36df44ed5479b.exe
"C:\Users\Admin\AppData\Local\Temp\7127440e9d76292b88e36df44ed5479b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\kR9R5GkiZB.dll",Install C:\Users\Admin\AppData\Local\Temp\kR9R5GkiZB
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /e:on /d /c ping -n 6 127.0.0.1 && DEL /F "C:\Users\Admin\AppData\Local\Temp\kR9R5GkiZB.dll" >> nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 6 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kR9R5GkiZB

Filesize
1024B

MD5
f9b6dd91cfc5b00f139d33c158c50071

SHA1
f67efc562f2924b5b7904984bb525cb7474e5037

SHA256
28bb8f1a843d14efc541f063900f1d27fb747a2a887f23df05d13792c92ed6bf

SHA512
4d277702b0b68225bf36dd256ea186de839ad3462841cc92864436cf5d46aca323bfaadb2a68a13bf4470ed8f6870dcb13ff1d3dd11a444fcfd57b75f499847f

Download Submit
\Users\Admin\AppData\Local\Temp\kR9R5GkiZB.dll

Filesize
67KB

MD5
0926c75dcfb71173c22ed89e44ea6f78

SHA1
012ecac790739f5b92f207ff9f1cbb4dc86516e3

SHA256
40055fa711c4e132099cc760c6b8f10423233b6543be153d7e895a5af1070d55

SHA512
4f761af8f8bec360ae3842d57f12648f6cfca1355954e55b882b983022849b8004dfca61015a913ccf2f0f0e93b6dd853d4710c7d5bdbf738a7c3a12f1ba3608

Download Submit