Analysis
-
max time kernel
135s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-02-2024 08:28
Static task
static1
Behavioral task
behavioral1
Sample
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
Resource
win7-20231215-en
General
-
Target
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
-
Size
986KB
-
MD5
cdcfa8aab8a4766ddb88df4635104d83
-
SHA1
7ad43cc7224f694995e53325a581e659eabe2e16
-
SHA256
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8
-
SHA512
9948e0571bfd8a167ad456a7aa4380b7f73f0bc77475b827bb20303a5fe1bce03670900e275cec573c88df51cd42a2060012bba623c7358640af8e1209210acb
-
SSDEEP
24576:FJRsQJVHvu3/mAUf45P3z55KTBmfswlibk:bWgHv0wq50TAfpEk
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1708-24-0x0000000000400000-0x0000000000463000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore behavioral1/memory/1708-30-0x0000000000400000-0x0000000000463000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore behavioral1/memory/1708-32-0x0000000000400000-0x0000000000463000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
Detects executables packed with SmartAssembly 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2324-3-0x00000000003F0000-0x0000000000408000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2324-5-0x0000000000530000-0x000000000053C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
UPX dump on OEP (original entry point) 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1708-30-0x0000000000400000-0x0000000000463000-memory.dmp UPX behavioral1/memory/1708-32-0x0000000000400000-0x0000000000463000-memory.dmp UPX -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exedescription pid process target process PID 2324 set thread context of 1708 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exepowershell.exepowershell.exepid process 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 3000 powershell.exe 2896 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 2896 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exepid process 1708 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exedescription pid process target process PID 2324 wrote to memory of 3000 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe powershell.exe PID 2324 wrote to memory of 3000 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe powershell.exe PID 2324 wrote to memory of 3000 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe powershell.exe PID 2324 wrote to memory of 3000 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe powershell.exe PID 2324 wrote to memory of 2896 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe powershell.exe PID 2324 wrote to memory of 2896 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe powershell.exe PID 2324 wrote to memory of 2896 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe powershell.exe PID 2324 wrote to memory of 2896 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe powershell.exe PID 2324 wrote to memory of 2592 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe schtasks.exe PID 2324 wrote to memory of 2592 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe schtasks.exe PID 2324 wrote to memory of 2592 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe schtasks.exe PID 2324 wrote to memory of 2592 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe schtasks.exe PID 2324 wrote to memory of 1708 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe PID 2324 wrote to memory of 1708 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe PID 2324 wrote to memory of 1708 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe PID 2324 wrote to memory of 1708 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe PID 2324 wrote to memory of 1708 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe PID 2324 wrote to memory of 1708 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe PID 2324 wrote to memory of 1708 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe PID 2324 wrote to memory of 1708 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe PID 2324 wrote to memory of 1708 2324 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UbaskbOLQNa.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbaskbOLQNa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6DEF.tmp"2⤵
- Creates scheduled task(s)
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:1708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c284510e5091952cfe3959a34d622025
SHA1ac624e2137ceeae5fdc5824ce46ec3a5b9060181
SHA25630e68063d6198b31d45cca5ff7bd1a3ea57bcdbe2b48d253b6fb5cf1f38d6ada
SHA512ce103bc967d067c1712c9b3b81046cae56fcefd3e234f4932139ab18270f2686a435483fd7ae47b629d3f1e404e55f64b6174631638c8824903643846778e2d2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NJDE6T3OLDAPI2AFHDUQ.temp
Filesize7KB
MD5b294615cfb3c3bc7dfa009f2314de5bd
SHA14c31446e51df65c0e17fdc3122271fca0f36aaf9
SHA25636dfae10cd88a0d6a14066f366b06d6a26c01de0fedc8bdd9b08f0d5b5c7e796
SHA512b7284a8fc31077a84ed72ec6d1b13535202d3af430d4b876e7766015eba8f9a87db1b7a0a4f4a44edc4158e770c4f61e0fc1afc37277694a4b7070a6bd2caff5