Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 18:56
Static task
static1
Behavioral task
behavioral1
Sample
8fe72633f6b0fb3ab0e91047b9e9dfc7.exe
Resource
win7-20231215-en
General
-
Target
8fe72633f6b0fb3ab0e91047b9e9dfc7.exe
-
Size
20KB
-
MD5
8fe72633f6b0fb3ab0e91047b9e9dfc7
-
SHA1
e42c34d891bb2c0f6e59974ad1d9e5b1912ac4e8
-
SHA256
8b03a03fab5823b2c1d25512f55cc08452fb3a8fda6c83c53bbba7bbdb6bc42e
-
SHA512
30030518802018356e9bb2ff1768ff7a476be934648cc579681bf74f4154de09c316e5b10307ac37402399911723d605afced8473647321b87ac5c5681149b7d
-
SSDEEP
384:9KWrXbCVnik0JoOJTEzeMFvg9to5eR3POfbEoRrJ1gaG:9jrVEaMO9tAeNeRY
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2272 cmd.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3a729da-eabc-df50-1842-dfd682644311} 8fe72633f6b0fb3ab0e91047b9e9dfc7.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\mswapi.dll 8fe72633f6b0fb3ab0e91047b9e9dfc7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a729da-eabc-df50-1842-dfd682644311} 8fe72633f6b0fb3ab0e91047b9e9dfc7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a729da-eabc-df50-1842-dfd682644311}\InprocServer32 8fe72633f6b0fb3ab0e91047b9e9dfc7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a729da-eabc-df50-1842-dfd682644311}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswapi.dll" 8fe72633f6b0fb3ab0e91047b9e9dfc7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a729da-eabc-df50-1842-dfd682644311}\InprocServer32\ThreadingModel = "Apartment" 8fe72633f6b0fb3ab0e91047b9e9dfc7.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a729da-eabc-df50-1842-dfd682644311}\script = 18b449998991e1c3e4419ec72743b4d1b41bc098362d58e33d16a18321fe2c6d846ec0 8fe72633f6b0fb3ab0e91047b9e9dfc7.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2272 2056 8fe72633f6b0fb3ab0e91047b9e9dfc7.exe 29 PID 2056 wrote to memory of 2272 2056 8fe72633f6b0fb3ab0e91047b9e9dfc7.exe 29 PID 2056 wrote to memory of 2272 2056 8fe72633f6b0fb3ab0e91047b9e9dfc7.exe 29 PID 2056 wrote to memory of 2272 2056 8fe72633f6b0fb3ab0e91047b9e9dfc7.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fe72633f6b0fb3ab0e91047b9e9dfc7.exe"C:\Users\Admin\AppData\Local\Temp\8fe72633f6b0fb3ab0e91047b9e9dfc7.exe"1⤵
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\delt.bat" "2⤵
- Deletes itself
PID:2272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214B
MD5f73a3b3d034e62ea99d1f4e01b6cb41e
SHA122f63a73d1d28de7270fb6615c0d0059b5043f7c
SHA2565dd75c9f9a26d02c0d646d1dd6c886c63f6af52104f1637d19eb7ccafd6d1f88
SHA512b59771f658c4d12693c4db333e15f132093f868e87bd111de5384bc47cb921987899c3c6f078faf650b26aeda299560bfce7514077fbbb45102505abb23272b1