Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 17:27

General

  • Target

    sdpig.exe

  • Size

    125KB

  • MD5

    1c0356a4d34f36e2ee3cba5ab3aaabd8

  • SHA1

    13c218d5205bcd2d0b244278787629d6f4ee842e

  • SHA256

    df8fc44f5b858f79a9cc033b6245e88aa829f057ad077aa379ada32dd4889434

  • SHA512

    fb098eb6ed3dde834247eab7af2a5cb1644fdeaa5030e44d80d37dc898145925f4162a836499619d46bbf44fbe9a97d902f1aa69e30b1f3ee7c8fe44c30198ef

  • SSDEEP

    3072:8sv1gkIVWIkWdn4V/nfQWIjfJ1AZDHuEz3BHG0x+:UhWJWd4UjR+ROEz

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sdpig.exe
    "C:\Users\Admin\AppData\Local\Temp\sdpig.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 "C:\Program Files (x86)\wsearch\searchm.dll" -s
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:2620
    • C:\Program Files (x86)\wsearch\Search.exe
      "C:\Program Files (x86)\wsearch\Search.exe" us
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      PID:2052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\wsearch\searchm.dll

    Filesize

    32KB

    MD5

    1347396bc1c22564878cb94f3b810404

    SHA1

    d92d425ba15404c081a2e597ebdd74ac7cda17f1

    SHA256

    c928218d0244e1c8f8b78ae474c0d8805d1ab1033ef437dbec60c730993de6c9

    SHA512

    a37f1637ed55cff8280b790632f023cd4c3b6bdf98eb5d95e4a2a0aaa6a56e2e2ba48ca1779c8cbf92202304ff3dbc6627aaa09bb4a557e419830c5bda15c238

  • \Program Files (x86)\wsearch\Mouse1.dll

    Filesize

    64KB

    MD5

    23dc474fa7d3f168893a0636ec39e8b3

    SHA1

    1d20d251dde02aaa1b34c8681f7a2f60b5af98cf

    SHA256

    b7063981dc266732e4cc464a07f2eca1e2b0aa5cb8d792199051bd7771a0661a

    SHA512

    75e43e5963b07da4550416593453557a789041f5a662071de59a49f0cffa8fae748b1ab02f464f24a8facdc078923834b0a4ee23309b6c7438a06ba2ffe47097

  • \Program Files (x86)\wsearch\Search.exe

    Filesize

    88KB

    MD5

    610595ff326d38e997796d9725c1db1c

    SHA1

    a2c4e29148d1b2a3cfc4f88938a39d60791186d4

    SHA256

    983652684d3cc24262fdcc587f3f2a7c1e2118b3d7ac4ee760d876a1ef03a86e

    SHA512

    021d063aeb23134c2332986c0a800c64e7a9f660018f3ec5ce1f5e7f487de6cf6b329908869a01b20426cc119c90a3daa880b82bbff86587eba5aaa7538e4a43