Analysis
-
max time kernel
153s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:44
Behavioral task
behavioral1
Sample
75200e77fbdd79b413d51974e55051f1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
75200e77fbdd79b413d51974e55051f1.exe
Resource
win10v2004-20231222-en
General
-
Target
75200e77fbdd79b413d51974e55051f1.exe
-
Size
10KB
-
MD5
75200e77fbdd79b413d51974e55051f1
-
SHA1
7286e784b8e3326a1a632466af3a7155772509c6
-
SHA256
039cf530dca66ff431f96f937d88084af001b44ed504ca0458c699a42d89422b
-
SHA512
04efdf17b8a454d27d6ad3147aacf04e8bc27b1f45bc7c789fb4650a13c2ac29b3cd8faded3122752a6e17106735c542523fbbb4ce902237567cbc1cd64aef42
-
SSDEEP
192:DIysA/4ZJDPuuxDQNQ2spwlqZif/R/J9a+GGzDR3dD+l2+D2Dg+:DIysAwZJWNNvVqZkRjNDDxdD+lBD2s+
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2776 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
mpacklk.exepid process 2188 mpacklk.exe -
Loads dropped DLL 2 IoCs
Processes:
75200e77fbdd79b413d51974e55051f1.exepid process 2100 75200e77fbdd79b413d51974e55051f1.exe 2100 75200e77fbdd79b413d51974e55051f1.exe -
Processes:
resource yara_rule behavioral1/memory/2100-0-0x0000000000400000-0x000000000040F000-memory.dmp upx \Windows\SysWOW64\mpacklk.exe upx behavioral1/memory/2100-4-0x0000000000030000-0x000000000003F000-memory.dmp upx behavioral1/memory/2188-11-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2100-19-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2188-21-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
Processes:
75200e77fbdd79b413d51974e55051f1.exedescription ioc process File created C:\Windows\SysWOW64\mpackl.dll 75200e77fbdd79b413d51974e55051f1.exe File created C:\Windows\SysWOW64\mpacklk.exe 75200e77fbdd79b413d51974e55051f1.exe File opened for modification C:\Windows\SysWOW64\mpacklk.exe 75200e77fbdd79b413d51974e55051f1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
75200e77fbdd79b413d51974e55051f1.exepid process 2100 75200e77fbdd79b413d51974e55051f1.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
75200e77fbdd79b413d51974e55051f1.exedescription pid process target process PID 2100 wrote to memory of 2188 2100 75200e77fbdd79b413d51974e55051f1.exe mpacklk.exe PID 2100 wrote to memory of 2188 2100 75200e77fbdd79b413d51974e55051f1.exe mpacklk.exe PID 2100 wrote to memory of 2188 2100 75200e77fbdd79b413d51974e55051f1.exe mpacklk.exe PID 2100 wrote to memory of 2188 2100 75200e77fbdd79b413d51974e55051f1.exe mpacklk.exe PID 2100 wrote to memory of 2776 2100 75200e77fbdd79b413d51974e55051f1.exe cmd.exe PID 2100 wrote to memory of 2776 2100 75200e77fbdd79b413d51974e55051f1.exe cmd.exe PID 2100 wrote to memory of 2776 2100 75200e77fbdd79b413d51974e55051f1.exe cmd.exe PID 2100 wrote to memory of 2776 2100 75200e77fbdd79b413d51974e55051f1.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75200e77fbdd79b413d51974e55051f1.exe"C:\Users\Admin\AppData\Local\Temp\75200e77fbdd79b413d51974e55051f1.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\mpacklk.exeC:\Windows\system32\mpacklk.exe ˜‰2⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\75200e77fbdd79b413d51974e55051f1.exe.bat2⤵
- Deletes itself
PID:2776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD572553dd9a78803fb32a2bee2af797b0d
SHA1598f05111b464b856e4c5e23a6fdacfe456f8d5e
SHA256f687d0fdff9030790db398e737b1b94082c69243d039a19c8b6923a892a1ce38
SHA512d8c3173aaa051a7393c2b200487dc46d26009056bffd9b5adc3937ddd834738b1f8e24c8ac88bddd37991b2b973e0f6eac2adf45483f4020f8b102d014cec43b
-
Filesize
10KB
MD575200e77fbdd79b413d51974e55051f1
SHA17286e784b8e3326a1a632466af3a7155772509c6
SHA256039cf530dca66ff431f96f937d88084af001b44ed504ca0458c699a42d89422b
SHA51204efdf17b8a454d27d6ad3147aacf04e8bc27b1f45bc7c789fb4650a13c2ac29b3cd8faded3122752a6e17106735c542523fbbb4ce902237567cbc1cd64aef42