Analysis
-
max time kernel
147s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:34
Static task
static1
Behavioral task
behavioral1
Sample
751b303b3923e73425d72689f2241bdd.exe
Resource
win7-20231129-en
General
-
Target
751b303b3923e73425d72689f2241bdd.exe
-
Size
48KB
-
MD5
751b303b3923e73425d72689f2241bdd
-
SHA1
6cab0f37374ef05634ac4110f7382628cd5a7283
-
SHA256
3581e0be4c1e8248b9a2533eb77f00ff2aa0736499dc7cdc84679035dd4476b8
-
SHA512
9dde8567744afb7aee941b570b3dc868310101c330ca3aa7ea711d8bdadbd1fd77ad696510c3bbaabfee9e9c21438417f3fe163fb0a4d435775e22cb4189671b
-
SSDEEP
768:4puk4x0JxJ137DEJRuJI8+8V4abjEjahVV9E062JLLCEnX:yZ4x0JxfDEvuC8KabjEjahVV9E1Li
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
Processes:
751b303b3923e73425d72689f2241bdd.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistrytools = "1" 751b303b3923e73425d72689f2241bdd.exe -
Executes dropped EXE 2 IoCs
Processes:
service.exeservice.exepid Process 2588 service.exe 2592 service.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
751b303b3923e73425d72689f2241bdd.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Windows Service = "service.exe" 751b303b3923e73425d72689f2241bdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "service.exe" 751b303b3923e73425d72689f2241bdd.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
751b303b3923e73425d72689f2241bdd.exeservice.exedescription pid Process procid_target PID 1672 set thread context of 2944 1672 751b303b3923e73425d72689f2241bdd.exe 29 PID 2588 set thread context of 2592 2588 service.exe 30 -
Drops file in Windows directory 3 IoCs
Processes:
751b303b3923e73425d72689f2241bdd.exeservice.exedescription ioc Process File created C:\Windows\service.exe 751b303b3923e73425d72689f2241bdd.exe File opened for modification C:\Windows\service.exe 751b303b3923e73425d72689f2241bdd.exe File created C:\Windows\admintxt.txt service.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
751b303b3923e73425d72689f2241bdd.exeservice.exepid Process 1672 751b303b3923e73425d72689f2241bdd.exe 2588 service.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
751b303b3923e73425d72689f2241bdd.exe751b303b3923e73425d72689f2241bdd.exeservice.exedescription pid Process procid_target PID 1672 wrote to memory of 2944 1672 751b303b3923e73425d72689f2241bdd.exe 29 PID 1672 wrote to memory of 2944 1672 751b303b3923e73425d72689f2241bdd.exe 29 PID 1672 wrote to memory of 2944 1672 751b303b3923e73425d72689f2241bdd.exe 29 PID 1672 wrote to memory of 2944 1672 751b303b3923e73425d72689f2241bdd.exe 29 PID 1672 wrote to memory of 2944 1672 751b303b3923e73425d72689f2241bdd.exe 29 PID 1672 wrote to memory of 2944 1672 751b303b3923e73425d72689f2241bdd.exe 29 PID 1672 wrote to memory of 2944 1672 751b303b3923e73425d72689f2241bdd.exe 29 PID 1672 wrote to memory of 2944 1672 751b303b3923e73425d72689f2241bdd.exe 29 PID 2944 wrote to memory of 2588 2944 751b303b3923e73425d72689f2241bdd.exe 31 PID 2944 wrote to memory of 2588 2944 751b303b3923e73425d72689f2241bdd.exe 31 PID 2944 wrote to memory of 2588 2944 751b303b3923e73425d72689f2241bdd.exe 31 PID 2944 wrote to memory of 2588 2944 751b303b3923e73425d72689f2241bdd.exe 31 PID 2588 wrote to memory of 2592 2588 service.exe 30 PID 2588 wrote to memory of 2592 2588 service.exe 30 PID 2588 wrote to memory of 2592 2588 service.exe 30 PID 2588 wrote to memory of 2592 2588 service.exe 30 PID 2588 wrote to memory of 2592 2588 service.exe 30 PID 2588 wrote to memory of 2592 2588 service.exe 30 PID 2588 wrote to memory of 2592 2588 service.exe 30 PID 2588 wrote to memory of 2592 2588 service.exe 30 -
System policy modification 1 TTPs 2 IoCs
Processes:
751b303b3923e73425d72689f2241bdd.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 751b303b3923e73425d72689f2241bdd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistrytools = "1" 751b303b3923e73425d72689f2241bdd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\751b303b3923e73425d72689f2241bdd.exe"C:\Users\Admin\AppData\Local\Temp\751b303b3923e73425d72689f2241bdd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\751b303b3923e73425d72689f2241bdd.exe
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2944 -
C:\Windows\service.exe"C:\Windows\service.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588
-
-
-
C:\Windows\service.exe
- Executes dropped EXE
- Drops file in Windows directory
PID:2592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5751b303b3923e73425d72689f2241bdd
SHA16cab0f37374ef05634ac4110f7382628cd5a7283
SHA2563581e0be4c1e8248b9a2533eb77f00ff2aa0736499dc7cdc84679035dd4476b8
SHA5129dde8567744afb7aee941b570b3dc868310101c330ca3aa7ea711d8bdadbd1fd77ad696510c3bbaabfee9e9c21438417f3fe163fb0a4d435775e22cb4189671b