Analysis

  • max time kernel
    142s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    05/02/2024, 16:05

General

  • Target

    926c7852a627e66288bdeec0f2844994.exe

  • Size

    420KB

  • MD5

    926c7852a627e66288bdeec0f2844994

  • SHA1

    ebf419139f84580f75c1855e47f4006dd845823e

  • SHA256

    2e23d557ca1abae7de953d6dcde430e629c206698f3fa0618abb2f9cd8066dbc

  • SHA512

    ea02eef55549c8cfba93bb16c4203aa838dfe3f8410ebca73a635eab4ade09c9632b5d605f4f9cbff166df48393392e67a90314b3009243595cb5eb87b8e6194

  • SSDEEP

    6144:P4u/+HW5XX7OpslFlqnhdBCkWYxuukP1pjSKSNVkq/MVJbD:wSUW5XX7wsloTBd47GLRMTbD

Score
8/10

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\926c7852a627e66288bdeec0f2844994.exe
        "C:\Users\Admin\AppData\Local\Temp\926c7852a627e66288bdeec0f2844994.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\Users\Admin\AppData\Local\Temp\stub.exe
          "C:\Users\Admin\AppData\Local\Temp\stub.exe" 0
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2828
        • C:\Users\Admin\AppData\Local\Temp\server.exe
          "C:\Users\Admin\AppData\Local\Temp\server.exe" 0
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2284
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
              PID:588

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\server.exe

              Filesize

              296KB

              MD5

              73420b862037b8d694a11a44fbd2f749

              SHA1

              35dabe230d746acc2c3a44e0083d3fbad57ada43

              SHA256

              e3e6567036bf1a801e503aa940396973c5df7a3e74b965639001b6e1dac24022

              SHA512

              85caa50180c4bb6ec57767f1fa73108065d39c978e4d9745d9ab2466668b35631a950a50b8c162ad1073706dfbcceeb66dd3fcb15b9fcbca3da99c2f9cc6dc3a

            • \Users\Admin\AppData\Local\Temp\stub.exe

              Filesize

              112KB

              MD5

              a73f36b8d1e46d3e7e04391b8c4f41b5

              SHA1

              94eaa799819eba8ff3d0acf49995daf36bb5bb59

              SHA256

              a7608ca53777d47e2a77971c62e0d71ab0bf6c1b4abbbd28843601e74c088075

              SHA512

              32571f1d50e9f72148e55a971c3164533da275beb84591fa04802f74611083306a4fd576e2eb8a0172c933d9cafe4031fbbf31bf565f9d78b9cfd11f10aee85f

            • memory/588-271-0x00000000000A0000-0x00000000000A1000-memory.dmp

              Filesize

              4KB

            • memory/588-273-0x00000000000C0000-0x00000000000C1000-memory.dmp

              Filesize

              4KB

            • memory/1200-26-0x00000000021F0000-0x00000000021F1000-memory.dmp

              Filesize

              4KB