Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:05
Static task
static1
Behavioral task
behavioral1
Sample
74ee20989720d8c3c1297404cb9b8ae9.exe
Resource
win7-20231215-en
General
-
Target
74ee20989720d8c3c1297404cb9b8ae9.exe
-
Size
57KB
-
MD5
74ee20989720d8c3c1297404cb9b8ae9
-
SHA1
07abe91df0caf355d642f6988469b59d3a4f44d5
-
SHA256
a543eb4c1241b1d17933d5ca5964eebee04c89ac4220b2957e3287c235ba9917
-
SHA512
4e103f1bce857675f768d876fb7075417cbeb9f353737a4c6b34b09d279561b8494987a2897e5a05c840b9fce8bb54a4621d1812dd9bff1dc6237a72b52c1bac
-
SSDEEP
1536:WqBwbLWJLJFKqAZzrZA4kJJodxlAfEXh9lQCivFxbge:WqBFJLzgOJJohw0nqNt5
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
74ee20989720d8c3c1297404cb9b8ae9.exepid process 2116 74ee20989720d8c3c1297404cb9b8ae9.exe 2116 74ee20989720d8c3c1297404cb9b8ae9.exe -
Drops file in Program Files directory 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
74ee20989720d8c3c1297404cb9b8ae9.exedescription pid process Token: SeRestorePrivilege 2116 74ee20989720d8c3c1297404cb9b8ae9.exe Token: SeBackupPrivilege 2116 74ee20989720d8c3c1297404cb9b8ae9.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
74ee20989720d8c3c1297404cb9b8ae9.exedescription pid process target process PID 2116 wrote to memory of 2364 2116 74ee20989720d8c3c1297404cb9b8ae9.exe cmd.exe PID 2116 wrote to memory of 2364 2116 74ee20989720d8c3c1297404cb9b8ae9.exe cmd.exe PID 2116 wrote to memory of 2364 2116 74ee20989720d8c3c1297404cb9b8ae9.exe cmd.exe PID 2116 wrote to memory of 2364 2116 74ee20989720d8c3c1297404cb9b8ae9.exe cmd.exe PID 2116 wrote to memory of 2364 2116 74ee20989720d8c3c1297404cb9b8ae9.exe cmd.exe PID 2116 wrote to memory of 2364 2116 74ee20989720d8c3c1297404cb9b8ae9.exe cmd.exe PID 2116 wrote to memory of 2364 2116 74ee20989720d8c3c1297404cb9b8ae9.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74ee20989720d8c3c1297404cb9b8ae9.exe"C:\Users\Admin\AppData\Local\Temp\74ee20989720d8c3c1297404cb9b8ae9.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\cmd.execmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\ife.txt "C:\PROGRA~1\INTERN~1\ieframe.dll" /a2⤵
- Drops file in Program Files directory
PID:2364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ife.txtFilesize
19.5MB
MD54d0bbc3de1244b9da019b7d93a105ac5
SHA1869dce84b4c42969162a4ff39d3c94d2693884b6
SHA256f0168c2f57161102bfa744c34614abdc924ef25609ad3a8a32c80bc95dda98bf
SHA512c826c4bd087d87e865b6ca938d6dedc6456e658e501fb23d1166c3ced149c953939edae2c25e70277fe1cfd9eceb0581c524e443882dc451a607a0a9355044e1
-
\Users\Admin\AppData\Local\Temp\nsy391B.tmp\nsExec.dllFilesize
6KB
MD5e54eb27fb5048964e8d1ec7a1f72334b
SHA12b76d7aedafd724de96532b00fbc6c7c370e4609
SHA256ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824
SHA512c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4
-
\Users\Admin\AppData\Local\Temp\nsy391B.tmp\time.dllFilesize
10KB
MD538977533750fe69979b2c2ac801f96e6
SHA174643c30cda909e649722ed0c7f267903558e92a
SHA256b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53