6a4ff569548cabfc375de0b4b69a29482a140929092852179f7086eac405059b

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-01-2024 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76fb2324ee40ca33b3df7cf420e3cf36.exe
Size

227KB
MD5

76fb2324ee40ca33b3df7cf420e3cf36
SHA1

354d79da5baf1d68d46bd83dff46cfb302dfe132
SHA256

6a4ff569548cabfc375de0b4b69a29482a140929092852179f7086eac405059b
SHA512

b992e9a22df036d0681b65fe6a956071d4d957c6a17c40dcdf8861fe5546201f68c7079ca15853a1f51b1c151a6966af426147af28b2c9adf65f0df261690ad3
SSDEEP

6144:jzOdykKSsvop14HAZvMy75KGsQK6tWwcRBiwxDXDy5yMt:jzOJKSOBAt7s5M6nHDXO5D

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2244	Dtadua.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\3XQZ6EO4AP = "C:\\Windows\\Dtadua.exe"	Dtadua.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	76fb2324ee40ca33b3df7cf420e3cf36.exe
File created	C:\Windows\Dtadua.exe	76fb2324ee40ca33b3df7cf420e3cf36.exe
File opened for modification	C:\Windows\Dtadua.exe	76fb2324ee40ca33b3df7cf420e3cf36.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	76fb2324ee40ca33b3df7cf420e3cf36.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Dtadua.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	76fb2324ee40ca33b3df7cf420e3cf36.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\International	Dtadua.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	Dtadua.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe
2244	Dtadua.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2244	2144	76fb2324ee40ca33b3df7cf420e3cf36.exe	28
PID 2144 wrote to memory of 2244	2144	76fb2324ee40ca33b3df7cf420e3cf36.exe	28
PID 2144 wrote to memory of 2244	2144	76fb2324ee40ca33b3df7cf420e3cf36.exe	28
PID 2144 wrote to memory of 2244	2144	76fb2324ee40ca33b3df7cf420e3cf36.exe	28

C:\Users\Admin\AppData\Local\Temp\76fb2324ee40ca33b3df7cf420e3cf36.exe
"C:\Users\Admin\AppData\Local\Temp\76fb2324ee40ca33b3df7cf420e3cf36.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\Dtadua.exe
  C:\Windows\Dtadua.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Dtadua.exe

Filesize
227KB

MD5
76fb2324ee40ca33b3df7cf420e3cf36

SHA1
354d79da5baf1d68d46bd83dff46cfb302dfe132

SHA256
6a4ff569548cabfc375de0b4b69a29482a140929092852179f7086eac405059b

SHA512
b992e9a22df036d0681b65fe6a956071d4d957c6a17c40dcdf8861fe5546201f68c7079ca15853a1f51b1c151a6966af426147af28b2c9adf65f0df261690ad3

Download Submit
C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

Filesize
344B

MD5
83dd1d7d55e44f96757040cf58832355

SHA1
3840b8dff16ee0874693b77b9f9cf972bad42e43

SHA256
ced81b3657a8ef00de61963e95235df33bca02758c8759f876efce7a547e1bb5

SHA512
c9ab89aaf4cbf3a3ac28065eb493f7c8ea46e324093cb1233a23a1f258311d6211a0c3b64f40ad218fcf69ebe281889dc2cd3da08cfbef1bc222f0c83fb850d8

Download Submit
memory/2144-11715-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2144-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2144-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2144-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2144-40852-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2244-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2244-32781-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2244-53474-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2244-53475-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2244-53476-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2244-53478-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2244-53482-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download