Analysis
-
max time kernel
136s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-02-2024 09:30
Static task
static1
Behavioral task
behavioral1
Sample
documents.exe
Resource
win7-20231215-en
General
-
Target
documents.exe
-
Size
877KB
-
MD5
173aa6b5c260b3e19f1b979f054b02b0
-
SHA1
9ea4da05677968a322acf4330699e76b31676130
-
SHA256
0dd421edda69a829b7b9d025fd81f947085c0b3a54d9025312823a56c2b5df83
-
SHA512
29415d7778eb7d1275815f1bcee0c3f0613f300df29172ab03d63c119491af6ced57c25c39ed27e010c0e7ce7be87de216bf2757480db9fd392b95c1f8282d51
-
SSDEEP
24576:L/UAc8bshd1ixMpqvhnjqJR33ulonktC+FMIpSmUrSGG:L/U8bI1+MMv5YwloWCZU0m7
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
documents.exedescription pid process target process PID 2456 set thread context of 2716 2456 documents.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
documents.exepowershell.exepid process 2456 documents.exe 2456 documents.exe 2456 documents.exe 2456 documents.exe 2456 documents.exe 2740 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
documents.exepowershell.exedescription pid process Token: SeDebugPrivilege 2456 documents.exe Token: SeDebugPrivilege 2740 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2716 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
documents.exedescription pid process target process PID 2456 wrote to memory of 2740 2456 documents.exe powershell.exe PID 2456 wrote to memory of 2740 2456 documents.exe powershell.exe PID 2456 wrote to memory of 2740 2456 documents.exe powershell.exe PID 2456 wrote to memory of 2740 2456 documents.exe powershell.exe PID 2456 wrote to memory of 2092 2456 documents.exe schtasks.exe PID 2456 wrote to memory of 2092 2456 documents.exe schtasks.exe PID 2456 wrote to memory of 2092 2456 documents.exe schtasks.exe PID 2456 wrote to memory of 2092 2456 documents.exe schtasks.exe PID 2456 wrote to memory of 2716 2456 documents.exe RegSvcs.exe PID 2456 wrote to memory of 2716 2456 documents.exe RegSvcs.exe PID 2456 wrote to memory of 2716 2456 documents.exe RegSvcs.exe PID 2456 wrote to memory of 2716 2456 documents.exe RegSvcs.exe PID 2456 wrote to memory of 2716 2456 documents.exe RegSvcs.exe PID 2456 wrote to memory of 2716 2456 documents.exe RegSvcs.exe PID 2456 wrote to memory of 2716 2456 documents.exe RegSvcs.exe PID 2456 wrote to memory of 2716 2456 documents.exe RegSvcs.exe PID 2456 wrote to memory of 2716 2456 documents.exe RegSvcs.exe PID 2456 wrote to memory of 2716 2456 documents.exe RegSvcs.exe PID 2456 wrote to memory of 2716 2456 documents.exe RegSvcs.exe PID 2456 wrote to memory of 2716 2456 documents.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\documents.exe"C:\Users\Admin\AppData\Local\Temp\documents.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sTIDCEmUa.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sTIDCEmUa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA41C.tmp"2⤵
- Creates scheduled task(s)
PID:2092 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50b4a7e603e0ee69f79d612af45572072
SHA17bf5abfaf816f43487cb06e8a2b4ea6b925e3747
SHA2565a7bd18eaf054ee20a46840cc9ba852a3c4a6d3445a91828cd36f60426db8fdd
SHA51250c9c6308a3ef9bc32c04883d35d348beb63cfb819e828e8a216930d0d0c31461ef0376cfdeda57a6114077ac968de7d05f03e2a217f7ffaea54d20a2c5fb301