Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:55
Static task
static1
Behavioral task
behavioral1
Sample
750631a2c1e39cdf666553eef759c08a.exe
Resource
win7-20231215-en
General
-
Target
750631a2c1e39cdf666553eef759c08a.exe
-
Size
877KB
-
MD5
750631a2c1e39cdf666553eef759c08a
-
SHA1
4a29c15705beb87998f63d853766733110527be9
-
SHA256
148de4af81e904f345fef275e9dbbf9b00dc3cfeb15b874ce4b6b97c15d69f0c
-
SHA512
bc3f449ac3719721f03acf2c124a5d92ac04d6584da0bdffd531848c65a3fc6a8adf340c7c2dcc387e81e732e2e0bb5868cc56de16a0ecec684b1294f5341610
-
SSDEEP
24576:p6MLKmtvPyHu7C8v4zEzy9pNg4W7HM8tcN+2QHCQDA:kiKmHyOWoSEnp7s8UQq
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
Processes:
750631a2c1e39cdf666553eef759c08a.exepid process 816 750631a2c1e39cdf666553eef759c08a.exe 816 750631a2c1e39cdf666553eef759c08a.exe 816 750631a2c1e39cdf666553eef759c08a.exe 816 750631a2c1e39cdf666553eef759c08a.exe -
Processes:
750631a2c1e39cdf666553eef759c08a.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 750631a2c1e39cdf666553eef759c08a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
750631a2c1e39cdf666553eef759c08a.exe750631a2c1e39cdf666553eef759c08a.exedescription pid process target process PID 2668 wrote to memory of 2276 2668 750631a2c1e39cdf666553eef759c08a.exe 750631a2c1e39cdf666553eef759c08a.exe PID 2668 wrote to memory of 2276 2668 750631a2c1e39cdf666553eef759c08a.exe 750631a2c1e39cdf666553eef759c08a.exe PID 2668 wrote to memory of 2276 2668 750631a2c1e39cdf666553eef759c08a.exe 750631a2c1e39cdf666553eef759c08a.exe PID 2668 wrote to memory of 2276 2668 750631a2c1e39cdf666553eef759c08a.exe 750631a2c1e39cdf666553eef759c08a.exe PID 2668 wrote to memory of 2276 2668 750631a2c1e39cdf666553eef759c08a.exe 750631a2c1e39cdf666553eef759c08a.exe PID 2668 wrote to memory of 2276 2668 750631a2c1e39cdf666553eef759c08a.exe 750631a2c1e39cdf666553eef759c08a.exe PID 2668 wrote to memory of 2276 2668 750631a2c1e39cdf666553eef759c08a.exe 750631a2c1e39cdf666553eef759c08a.exe PID 2276 wrote to memory of 816 2276 750631a2c1e39cdf666553eef759c08a.exe 750631a2c1e39cdf666553eef759c08a.exe PID 2276 wrote to memory of 816 2276 750631a2c1e39cdf666553eef759c08a.exe 750631a2c1e39cdf666553eef759c08a.exe PID 2276 wrote to memory of 816 2276 750631a2c1e39cdf666553eef759c08a.exe 750631a2c1e39cdf666553eef759c08a.exe PID 2276 wrote to memory of 816 2276 750631a2c1e39cdf666553eef759c08a.exe 750631a2c1e39cdf666553eef759c08a.exe PID 2276 wrote to memory of 816 2276 750631a2c1e39cdf666553eef759c08a.exe 750631a2c1e39cdf666553eef759c08a.exe PID 2276 wrote to memory of 816 2276 750631a2c1e39cdf666553eef759c08a.exe 750631a2c1e39cdf666553eef759c08a.exe PID 2276 wrote to memory of 816 2276 750631a2c1e39cdf666553eef759c08a.exe 750631a2c1e39cdf666553eef759c08a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\750631a2c1e39cdf666553eef759c08a.exe"C:\Users\Admin\AppData\Local\Temp\750631a2c1e39cdf666553eef759c08a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\750631a2c1e39cdf666553eef759c08a.exe"C:\Users\Admin\AppData\Local\Temp\750631a2c1e39cdf666553eef759c08a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\750631a2c1e39cdf666553eef759c08a.exe"C:\Users\Admin\AppData\Local\Temp\750631a2c1e39cdf666553eef759c08a.exe"3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
PID:816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\owcZ0M5w2M8qWXfUTEu\extramod.dllFilesize
73KB
MD588cc9c732267ae6bcbe5de78c84e01dd
SHA1e041cbe8dd0fe4084a4bbe7a51224fc7bca23d6d
SHA2560566d3e28debe77b682d41208c42728ecdb3fd4bb1929750d103b27873358b7e
SHA512bc739cfb3378438ac2bc3bb9ad2e4a7b2323b85cd2defd1d20656f60eb6c3d028ba11ac4db535e2c87fd1dc5086411ecc029e7a309f8f60c6458bdaeecef6b1e
-
\Users\Admin\AppData\Local\Temp\owcZ0M5w2M8qWXfUTEu\loading_screen.dllFilesize
5KB
MD544dac7f87bdf94d553f8d2cf073d605d
SHA121bf5d714b9fcab32ba40ff7d36e48c378b67a06
SHA2560e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66
SHA51292c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774
-
\Users\Admin\AppData\Local\Temp\owcZ0M5w2M8qWXfUTEu\lua51.dllFilesize
494KB
MD5f0c59526f8186eadaf2171b8fd2967c1
SHA18ffbe3e03d8139b50b41931c7b3360a0eebdb5cb
SHA2566e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6
SHA512dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854
-
\Users\Admin\AppData\Local\Temp\owcZ0M5w2M8qWXfUTEu\shared_library.dllFilesize
200KB
MD5bf01f7bd7cdaf44a6ba55a376a381dc7
SHA152cb33b8c39f545de889bc661d45b0e0505a560c
SHA2569f965cce8e6f2173271d3693d82602230fba918a36dfc52e9830d110074a5203
SHA51240c6786a138add4146e89f3224dfae84bd1033b40fb91de80584dbd31587c6a6ae8e645ff6b206f086cde4251f45a123ef7d180e763cd99bbb80471f033935b7
-
memory/816-10-0x0000000000270000-0x00000000002A6000-memory.dmpFilesize
216KB
-
memory/816-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmpFilesize
64KB
-
memory/816-18-0x000000007EF90000-0x000000007EFA0000-memory.dmpFilesize
64KB
-
memory/816-17-0x000000007EFA0000-0x000000007EFB0000-memory.dmpFilesize
64KB
-
memory/816-19-0x000000007EFA0000-0x000000007EFB0000-memory.dmpFilesize
64KB
-
memory/816-5-0x0000000000250000-0x0000000000266000-memory.dmpFilesize
88KB
-
memory/816-16-0x000000007EFA0000-0x000000007EFB0000-memory.dmpFilesize
64KB
-
memory/816-15-0x000000007EFA0000-0x000000007EFB0000-memory.dmpFilesize
64KB
-
memory/816-14-0x000000007EFA0000-0x000000007EFB0000-memory.dmpFilesize
64KB
-
memory/816-25-0x000000007EF00000-0x000000007EF10000-memory.dmpFilesize
64KB