Analysis
-
max time kernel
93s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 09:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
867b8e2b8b994464a79b77fbeac9be30.exe
Resource
win7-20231215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
867b8e2b8b994464a79b77fbeac9be30.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
867b8e2b8b994464a79b77fbeac9be30.exe
-
Size
53KB
-
MD5
867b8e2b8b994464a79b77fbeac9be30
-
SHA1
546587e4e2e7a0f3c7c13267a0b4885227eac5d1
-
SHA256
d0fb52e10625e6b3c59155967729170b8e02cddcfdb69637b12adf193aef6966
-
SHA512
7450438cadeb50c0d91a7c7f6ebad1402359e54da7a9f451bce99b8e3a50a53a5a448f412534c10019acaa9c618ceb6eb28a6c2fed57a0566bd434181c03d3d5
-
SSDEEP
1536:8P7kzjcefHUdqRLPyAzGfXAIGaN4xEVgfEHg0vl00IA:pscCMPTiJKigqX
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\allatl.cfg 867b8e2b8b994464a79b77fbeac9be30.exe File opened for modification C:\Windows\SysWOW64\allatl.dll 867b8e2b8b994464a79b77fbeac9be30.exe File created C:\Windows\SysWOW64\allatl.dll 867b8e2b8b994464a79b77fbeac9be30.exe File created C:\Windows\SysWOW64\mseam.sys 867b8e2b8b994464a79b77fbeac9be30.exe File created C:\Windows\SysWOW64\sqmapi32.dll 867b8e2b8b994464a79b77fbeac9be30.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe 4468 867b8e2b8b994464a79b77fbeac9be30.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 4468 867b8e2b8b994464a79b77fbeac9be30.exe 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLoadDriverPrivilege 4468 867b8e2b8b994464a79b77fbeac9be30.exe Token: SeDebugPrivilege 4468 867b8e2b8b994464a79b77fbeac9be30.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4468 wrote to memory of 3568 4468 867b8e2b8b994464a79b77fbeac9be30.exe 41 PID 4468 wrote to memory of 884 4468 867b8e2b8b994464a79b77fbeac9be30.exe 20 PID 4468 wrote to memory of 884 4468 867b8e2b8b994464a79b77fbeac9be30.exe 20 PID 4468 wrote to memory of 884 4468 867b8e2b8b994464a79b77fbeac9be30.exe 20
Processes
-
C:\Users\Admin\AppData\Local\Temp\867b8e2b8b994464a79b77fbeac9be30.exe"C:\Users\Admin\AppData\Local\Temp\867b8e2b8b994464a79b77fbeac9be30.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\867b8e2b8b994464a79b77fbeac9be30.exe"2⤵PID:884
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3568
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5ed0560feee947f22e9898f88658c85d9
SHA1a5e97652b80390508d290fa61491086dc9efa229
SHA25666445039fd8dd9ff4c34b8580e26783856e4152024ef7f77f343d565c0a5a898
SHA512c6d76d288ed00f72522f1d387b616cebcc1622c46d59c1b366233c8b83090f54014b71a021375cf20caad1ab02a496f83a83ea0f33ae1ce0796bc24e4d90a8be