Analysis

  • max time kernel
    141s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    02/02/2024, 21:53

General

  • Target

    8aa0c81d85cd15b6295dc749662c47b1.exe

  • Size

    351KB

  • MD5

    8aa0c81d85cd15b6295dc749662c47b1

  • SHA1

    76280cd27184645b1f6cc4b91e0382e1af642b87

  • SHA256

    8bea8d31f0bcf44ca920cfc577355bc889d79187e41593a3420c9d2aa27464f7

  • SHA512

    2dc24809a521a5a472b0a9bce79d2e48eb02ac19b68f6827c984e40d03424e6c02d5249624ff1f944af2905547a51d0a1a33800d4fcea344b27364c675d8d45c

  • SSDEEP

    6144:wbwOQj1Culcg/vOyOY1Sa7MUfA5aaRIxL09cpUTqs/J94JET3O+jNTOMy9Mg:wbwOQBx/TOrqMVKL09cqJzECe+hOMy9p

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 17 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Modifies registry class 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe
    "C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe
      C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Installs/modifies Browser Helper Object
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2680

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\ver19111-890258183.txt

          Filesize

          2KB

          MD5

          245f43b8765dd5669acee5ca14809431

          SHA1

          70aa396c20933cdaabf5a27cb6cec66403d7213f

          SHA256

          54856a3879f8d3486bbd93c109fd9412081b44eac4b3427d579882086ee815e3

          SHA512

          a082019585d345e6562ce86057f409bb16f0f0f776181a7163e19148e9d4d3fd2be4e05f777ec491f74e83b43aa3233615ece400d802a0adf80cfae5b9d48ada

        • C:\Windows\SysWOW64\ver19111-890258183.txt

          Filesize

          3KB

          MD5

          4e54d7a58318e67a087e997132ef1825

          SHA1

          2416dd79a5b5fd896108472f8fa0f8f0e5d2d67e

          SHA256

          1872765dcdf3e77222ada1d35f0634ca78746f03e3707c68385f9ddef1c13cd8

          SHA512

          5ad0d0805b436397254df22d10af4d190b8cd9d0b3c7a695a3a37854543d9024d400d4d4dc9e1301a71b03764a37ff3dd12b5cd58e34722903efb8755f2df149

        • C:\Windows\SysWOW64\ver19111-890258183.txt

          Filesize

          3KB

          MD5

          7c303d4aa154d0ad82867b031db4caf9

          SHA1

          2ef010eac443567d30e3f33f50368e9d11b03b8e

          SHA256

          151b30269646878e30900be6232534b1c30763d8b210c4d2b6852233e1a4b1c5

          SHA512

          22822297902f8495a8c7479cfb3f958159e1a51ddd72240f402cebc122605af6da5ad5b86173c7a66ec9d1516fe6add5b20f5bd5a25c504a7fbc23b794044ff4

        • C:\Windows\SysWOW64\ver19111-890258183.txt

          Filesize

          4KB

          MD5

          43edf561a95aca5f530dcbb3fc219ac5

          SHA1

          ebd6bfa16d7747f29af02da4d0435ed5a03d4ce3

          SHA256

          5c357b0fef24a983ed3255417ecfbe08ec3d8a971843fda978393540182140bb

          SHA512

          574d23b9dd95fe0ed49673d8e97c4c62eb64041b4d69def02cc8288ad6083c924d16c90ab9113f830c9a099325a25cb719388fe3be3ac57c0df679312fef1b91

        • C:\Windows\kwv.cfg

          Filesize

          8B

          MD5

          fd03887411dfd900c39337951e679b04

          SHA1

          42152a98048ce7705b7d41468fea303c30b7c28a

          SHA256

          526c508ecdc95803a98d14016d7299a88daa8b026096dc09e4f5692f5a794fd0

          SHA512

          69ed482297e2c3c0866e1292c2615de587b449559eb1fc3c2f0f30c65ed9a19c34018450d345ce0cd28feec6a5b26d1d4d4d1069f0f93fdedb396c7e5d62d3c7

        • \Windows\SysWOW64\vmmreg32.dll

          Filesize

          214KB

          MD5

          6b03feb120f2b1ee8c813dd040e9d4ab

          SHA1

          e0dc0c7ad7c47787aa4771b3ee0a6d848c8666a2

          SHA256

          2f63c5f575bb8ac5a5346efd2dc2bfa232f36aedef5210dda334a066ffd3efe3

          SHA512

          7cfe70ff445190e1b64284718e0cb0dc5bcfaa20afe893647ece093993223d49a24139356434ac8a680dde63a9d93a0e115e298d0e3525f31a1b3850cc0158fe

        • memory/2680-5-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

        • memory/2680-12-0x0000000010000000-0x0000000010054000-memory.dmp

          Filesize

          336KB

        • memory/2680-14-0x00000000003E0000-0x00000000003E2000-memory.dmp

          Filesize

          8KB

        • memory/2680-11-0x0000000000600000-0x0000000000645000-memory.dmp

          Filesize

          276KB

        • memory/2680-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2680-334-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

        • memory/2680-335-0x0000000010000000-0x0000000010054000-memory.dmp

          Filesize

          336KB

        • memory/2680-339-0x0000000010000000-0x0000000010054000-memory.dmp

          Filesize

          336KB

        • memory/2680-345-0x0000000010000000-0x0000000010054000-memory.dmp

          Filesize

          336KB

        • memory/2752-0-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB

        • memory/2752-4-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB

        • memory/2752-1-0x0000000000030000-0x0000000000032000-memory.dmp

          Filesize

          8KB