Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27-01-2024 18:25
Behavioral task
behavioral1
Sample
7af2fa1ee1d3333f198bed40ed69a181.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7af2fa1ee1d3333f198bed40ed69a181.exe
Resource
win10v2004-20231222-en
General
-
Target
7af2fa1ee1d3333f198bed40ed69a181.exe
-
Size
9KB
-
MD5
7af2fa1ee1d3333f198bed40ed69a181
-
SHA1
63ce9aacb77818dddae009a49ba3963e509c1832
-
SHA256
a3f1f903f4fc052905e7d9fbd2e967948dcc356698017d74b90bf8ab78043d1c
-
SHA512
16a4c6e28aafcbf135e48dbe3c90e12bca05d971ce2b4312a03a343d023a794d95b9b977e16c9b788009a125ad0e69e6ff32d32a715ac220793d2e8a9462d95c
-
SSDEEP
192:L8xYwSeIxEmd7+HfwPFjxhXEyncjWO9SwOGgxDzvnIdh/:AxYwSpEff6Fdh1n2SJ/zgdJ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2432 IE4321.exe -
Loads dropped DLL 2 IoCs
pid Process 2040 7af2fa1ee1d3333f198bed40ed69a181.exe 2040 7af2fa1ee1d3333f198bed40ed69a181.exe -
resource yara_rule behavioral1/memory/2040-1-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/files/0x000d0000000122c3-3.dat upx behavioral1/memory/2040-5-0x00000000005A0000-0x00000000005A8000-memory.dmp upx behavioral1/memory/2432-12-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2432-13-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Olympic = "C:\\Users\\Admin\\AppData\\Roaming\\sgrunt\\IE4321.exe" 7af2fa1ee1d3333f198bed40ed69a181.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2040 wrote to memory of 2432 2040 7af2fa1ee1d3333f198bed40ed69a181.exe 28 PID 2040 wrote to memory of 2432 2040 7af2fa1ee1d3333f198bed40ed69a181.exe 28 PID 2040 wrote to memory of 2432 2040 7af2fa1ee1d3333f198bed40ed69a181.exe 28 PID 2040 wrote to memory of 2432 2040 7af2fa1ee1d3333f198bed40ed69a181.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\7af2fa1ee1d3333f198bed40ed69a181.exe"C:\Users\Admin\AppData\Local\Temp\7af2fa1ee1d3333f198bed40ed69a181.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Roaming\sgrunt\IE4321.exe"C:\Users\Admin\AppData\Roaming\sgrunt\IE4321.exe"2⤵
- Executes dropped EXE
PID:2432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD59cc2d8de3019d3db37c434ea82dc55f0
SHA156bedb4b591c3dcac99b2813feabba0b1f3fe490
SHA2565c4f3dbc8ed1568661f2c3282752db8234530cb8f5466fa716ecc88d5f40b6e6
SHA512df031c24d572a144637ffabbce072a198d7fa0c257e676199a10328314e44980cca675ef9143ecadc67d00f617a21c1e667695a27e50da99b928730888c427a0