Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:49
Static task
static1
Behavioral task
behavioral1
Sample
75223dcf04ed991c3c6285b3a8fcfeb9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
75223dcf04ed991c3c6285b3a8fcfeb9.exe
Resource
win10v2004-20231215-en
General
-
Target
75223dcf04ed991c3c6285b3a8fcfeb9.exe
-
Size
143KB
-
MD5
75223dcf04ed991c3c6285b3a8fcfeb9
-
SHA1
3e829e04b2b5e0dec8deb30b03de94771894a09d
-
SHA256
3be80cfa604086072f7763041a1324bce517f90d67d401c81a8297ed60699f99
-
SHA512
79263f738fb2e2b0d293d8a6ea53f381afaade88688b21144239bb0be6730c632089b11d8b87c6a813bff5cf53e67537b7723bc9df7d30848315903a81e5a1c0
-
SSDEEP
3072:XJqmWJGq7dW9p6ra8cWaBCFW4fFFrdEMPXgbnVfAW3hpSt:smmdUv8cWaBCFW4tZ+kXgbnGKpS
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2360 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
75223dcf04ed991c3c6285b3a8fcfeb9.execmd.exepid process 2408 75223dcf04ed991c3c6285b3a8fcfeb9.exe 2360 cmd.exe -
Drops file in System32 directory 1 IoCs
Processes:
75223dcf04ed991c3c6285b3a8fcfeb9.exedescription ioc process File opened for modification C:\Windows\SysWOW64\fingshta.dll 75223dcf04ed991c3c6285b3a8fcfeb9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
75223dcf04ed991c3c6285b3a8fcfeb9.exepid process 2408 75223dcf04ed991c3c6285b3a8fcfeb9.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
75223dcf04ed991c3c6285b3a8fcfeb9.execmd.exedescription pid process target process PID 2408 wrote to memory of 1272 2408 75223dcf04ed991c3c6285b3a8fcfeb9.exe Explorer.EXE PID 2408 wrote to memory of 2360 2408 75223dcf04ed991c3c6285b3a8fcfeb9.exe cmd.exe PID 2408 wrote to memory of 2360 2408 75223dcf04ed991c3c6285b3a8fcfeb9.exe cmd.exe PID 2408 wrote to memory of 2360 2408 75223dcf04ed991c3c6285b3a8fcfeb9.exe cmd.exe PID 2408 wrote to memory of 2360 2408 75223dcf04ed991c3c6285b3a8fcfeb9.exe cmd.exe PID 2360 wrote to memory of 2264 2360 cmd.exe attrib.exe PID 2360 wrote to memory of 2264 2360 cmd.exe attrib.exe PID 2360 wrote to memory of 2264 2360 cmd.exe attrib.exe PID 2360 wrote to memory of 2264 2360 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\75223dcf04ed991c3c6285b3a8fcfeb9.exe"C:\Users\Admin\AppData\Local\Temp\75223dcf04ed991c3c6285b3a8fcfeb9.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259409522.bat" "C:\Users\Admin\AppData\Local\Temp\75223dcf04ed991c3c6285b3a8fcfeb9.exe""3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\75223dcf04ed991c3c6285b3a8fcfeb9.exe"4⤵
- Views/modifies file attributes
PID:2264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69B
MD5604802586163bdc9eda42f6a471e01ad
SHA1fc255017a78e3ec103f73c8c8651effe08089c81
SHA25602f35eec8f33e1ad57621253ee252ca073f6cc16bf9712d89859ffeb6bb49dd3
SHA51266dc346d7bdcc80fc8ae6894ae10cab306aaf5cf1c1dd750a971d3df37d6f4ac607d188f583d08b526e3df13234cec9c7fa7f9bdc4c4ad187fc83a3506b94888
-
Filesize
63KB
MD5aa5a35cd1cca7152c8df2a80193b8a56
SHA15d1f272e7eb836a767e144b778b8dc249068b9ce
SHA256710ff2c7c6bb6b6bfa6c91b01c11db4056af6ee0ed90f7c4c89dec8fb7fc5799
SHA512d52c7aa1d99b726511c45488928fd629206d8d6846558b545beb72da3110a45ef22b6163f28b6bf383e519b81ae7e6f4dcdbfcfbee60c6fec3bfc60f3063614d