Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:44
Static task
static1
Behavioral task
behavioral1
Sample
74fffc33648d3f6da249d0ce61d17f2f.exe
Resource
win7-20231129-en
General
-
Target
74fffc33648d3f6da249d0ce61d17f2f.exe
-
Size
21KB
-
MD5
74fffc33648d3f6da249d0ce61d17f2f
-
SHA1
925c03dbb036852995de31c19afe819336e62374
-
SHA256
78e1b7734a74a9aecc45334d34d750e53523c5c99a855066d0e36aba29753011
-
SHA512
7333d9fbb8e6654b4281949117e81a4ffd05de6336d4011d24343e7e75860b1e6d3010e4a6c2613aa3db300c1fbf5713f8a3eb61dcdc8e96731a9b4cc4c96969
-
SSDEEP
384:/syLKhQKLpFGANNQOgQuP0ACk7UqZ1esjYE0W:/syLKDF1NNQOFu44UKe
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2552 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
Wdost.exepid process 3068 Wdost.exe -
Loads dropped DLL 2 IoCs
Processes:
74fffc33648d3f6da249d0ce61d17f2f.exepid process 2996 74fffc33648d3f6da249d0ce61d17f2f.exe 2996 74fffc33648d3f6da249d0ce61d17f2f.exe -
Drops file in System32 directory 3 IoCs
Processes:
74fffc33648d3f6da249d0ce61d17f2f.exeWdost.exedescription ioc process File created C:\Windows\SysWOW64\Wdost.exe 74fffc33648d3f6da249d0ce61d17f2f.exe File opened for modification C:\Windows\SysWOW64\Wdost.exe 74fffc33648d3f6da249d0ce61d17f2f.exe File created C:\Windows\SysWOW64\Wdost.exe Wdost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
74fffc33648d3f6da249d0ce61d17f2f.exeWdost.exedescription pid process Token: SeIncBasePriorityPrivilege 2996 74fffc33648d3f6da249d0ce61d17f2f.exe Token: SeIncBasePriorityPrivilege 3068 Wdost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
74fffc33648d3f6da249d0ce61d17f2f.exeWdost.exedescription pid process target process PID 2996 wrote to memory of 3068 2996 74fffc33648d3f6da249d0ce61d17f2f.exe Wdost.exe PID 2996 wrote to memory of 3068 2996 74fffc33648d3f6da249d0ce61d17f2f.exe Wdost.exe PID 2996 wrote to memory of 3068 2996 74fffc33648d3f6da249d0ce61d17f2f.exe Wdost.exe PID 2996 wrote to memory of 3068 2996 74fffc33648d3f6da249d0ce61d17f2f.exe Wdost.exe PID 2996 wrote to memory of 2552 2996 74fffc33648d3f6da249d0ce61d17f2f.exe cmd.exe PID 2996 wrote to memory of 2552 2996 74fffc33648d3f6da249d0ce61d17f2f.exe cmd.exe PID 2996 wrote to memory of 2552 2996 74fffc33648d3f6da249d0ce61d17f2f.exe cmd.exe PID 2996 wrote to memory of 2552 2996 74fffc33648d3f6da249d0ce61d17f2f.exe cmd.exe PID 3068 wrote to memory of 2832 3068 Wdost.exe cmd.exe PID 3068 wrote to memory of 2832 3068 Wdost.exe cmd.exe PID 3068 wrote to memory of 2832 3068 Wdost.exe cmd.exe PID 3068 wrote to memory of 2832 3068 Wdost.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74fffc33648d3f6da249d0ce61d17f2f.exe"C:\Users\Admin\AppData\Local\Temp\74fffc33648d3f6da249d0ce61d17f2f.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Wdost.exe"C:\Windows\system32\Wdost.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\Wdost.exe > nul3⤵PID:2832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\74FFFC~1.EXE > nul2⤵
- Deletes itself
PID:2552
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\SysWOW64\Wdost.exeFilesize
21KB
MD574fffc33648d3f6da249d0ce61d17f2f
SHA1925c03dbb036852995de31c19afe819336e62374
SHA25678e1b7734a74a9aecc45334d34d750e53523c5c99a855066d0e36aba29753011
SHA5127333d9fbb8e6654b4281949117e81a4ffd05de6336d4011d24343e7e75860b1e6d3010e4a6c2613aa3db300c1fbf5713f8a3eb61dcdc8e96731a9b4cc4c96969