Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:54
Static task
static1
Behavioral task
behavioral1
Sample
75057e3143e83260c56cb2ea4660da99.exe
Resource
win7-20231215-en
General
-
Target
75057e3143e83260c56cb2ea4660da99.exe
-
Size
50KB
-
MD5
75057e3143e83260c56cb2ea4660da99
-
SHA1
8911672d14cf4d4195d802986803be8f9dcf66fc
-
SHA256
a7179286326fd0f750d4c24e18d69fc25480f3e85f6640d4590b2917da7bddaf
-
SHA512
ad16319c233df094bc23f938f1d6a4915c1fe6a52bc2c978b8123fe1329ad66eb25008a793b37a4b907e3164ce3572c890a5d7097efa0777c74d0a2fe30d5926
-
SSDEEP
768:w4PE5eark7aaPFYoIIAyhQ7u1oIVTXHuq4NXsewvVNsqOlWDtDZJWEnRrev:tM5ea47aa9p27u6IZuq4N8g+DLJWCR
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2208 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
75057e3143e83260c56cb2ea4660da99.exepid process 1900 75057e3143e83260c56cb2ea4660da99.exe -
Processes:
resource yara_rule \Windows\SysWOW64\xxyyyxx.dll upx behavioral1/memory/1900-15-0x0000000000400000-0x0000000000419000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
75057e3143e83260c56cb2ea4660da99.exedescription ioc process File opened for modification C:\Windows\SysWOW64\xxyyyxx.dll 75057e3143e83260c56cb2ea4660da99.exe File created C:\Windows\SysWOW64\xxyyyxx.dll 75057e3143e83260c56cb2ea4660da99.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
75057e3143e83260c56cb2ea4660da99.exedescription pid process target process PID 1900 wrote to memory of 2208 1900 75057e3143e83260c56cb2ea4660da99.exe cmd.exe PID 1900 wrote to memory of 2208 1900 75057e3143e83260c56cb2ea4660da99.exe cmd.exe PID 1900 wrote to memory of 2208 1900 75057e3143e83260c56cb2ea4660da99.exe cmd.exe PID 1900 wrote to memory of 2208 1900 75057e3143e83260c56cb2ea4660da99.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75057e3143e83260c56cb2ea4660da99.exe"C:\Users\Admin\AppData\Local\Temp\75057e3143e83260c56cb2ea4660da99.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\removalfile.bat "C:\Users\Admin\AppData\Local\Temp\75057e3143e83260c56cb2ea4660da99.exe"2⤵
- Deletes itself
PID:2208
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\removalfile.batFilesize
43B
MD59a7ef09167a6f4433681b94351509043
SHA1259b1375ed8e84943ca1d42646bb416325c89e12
SHA256d5739a0510d89da572eb0b0d394d4fb4dd361cd9ee0144b9b31c590df93c3be7
SHA51296b84cd88a0e4b7c1122af3ed6ce5edf0a9a4e9bf79575eadfac16b2c46f1278d57755d29f21d7c6dcb4403be24b7ac7da4837c6cc9c602342a8f2b8e54883df
-
\Windows\SysWOW64\xxyyyxx.dllFilesize
33KB
MD56b565aa8fb498eb7c7f1588d70ba1b23
SHA12a55f0efcf84c0c76ae32e7705fb49173eb7ba04
SHA256f0756ace2691a950dea37a13ba8257b00e9beb3f4b849f7996b4909a92e51775
SHA512c15bc5f110ca3bd017ef0ca3dc0bd1b3f7cd56f5fd2d65892fcccb6c7f96f39cc11e82fe342751d43e80da6ab5bed125c822f502536317ed65427953d5926f6c
-
memory/1900-0-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1900-13-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1900-15-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB