Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08-02-2024 01:17
Behavioral task
behavioral1
Sample
9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe
Resource
win10v2004-20231215-en
General
-
Target
9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe
-
Size
1.1MB
-
MD5
f6ccd7d54c0d360846211977110a7c20
-
SHA1
be26eb65426c1ac5a4b45d6493cc3c810f6a2419
-
SHA256
9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16
-
SHA512
8c208674cbb6947db7f67150382124d0665d9fbb3ae0770fce88bbfa8ccb160cdb68e56a0d7416d60b242354524cbd05a8ccbc83a87adb75e9bd60845f5ad190
-
SSDEEP
24576:FD9O4MROxnFE30dc1RurZlI0AilFEvxHi6G:FhNMiuHburZlI0AilFEvxHi
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\Boot\err_bff5c852ae7b4868a2aa18ea8de24aa3.dat 9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2748 2288 9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe 28 PID 2288 wrote to memory of 2748 2288 9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe 28 PID 2288 wrote to memory of 2748 2288 9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe 28 PID 2748 wrote to memory of 2328 2748 csc.exe 30 PID 2748 wrote to memory of 2328 2748 csc.exe 30 PID 2748 wrote to memory of 2328 2748 csc.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe"C:\Users\Admin\AppData\Local\Temp\9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wzp3zi35.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50CF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC50CE.tmp"3⤵PID:2328
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5881b68fe84619f5bb0927eccf1b3d7c0
SHA110ba44092a37b623773168ce799e5daf3241b293
SHA2569fd596d38c4b0ad83138339132df981715c6eb8290adfaf8891a2ab86193d364
SHA51265dba202160643043a80ab93a4976d9d16d99093965595b867705239e9ab9bd229c044b67319ee29cb2ff8e764da057eceb0a694663c13f6d336cb346c2165f7
-
Filesize
76KB
MD538024dd88ba38de8fe73af47024c3e82
SHA1f7658aea9c73fff6281e7812dcf2890525f92cce
SHA256751cc146ae351309dc1fe89fc9f05d3b5c0a2b1f7dcb3143892f4bda022211eb
SHA512550a4f0b5f60b5dde416bc029186a18b592a5f130db9ce855645545d9b4317d5baf829c5eadefe5800786f389ffc776680e579000c92dcc9cb65f8a4900edae5
-
Filesize
676B
MD5c942ef5e94872f168daca1eaf09d2551
SHA1f173d36350d9e94f52cc09bfdd5042987191cad7
SHA256b91af778274a42ab9de1f778511729babaf8c87145422651e60d359e29e9c0af
SHA512c94f32a36514c41d8f1a0c84329c4e17602caa8d2d4b61ce5bdc70a18602cd0e71fe0ef3bbd9da7b14069af1c3003a8c4431b46e4a8b7d56aab480716d06a966
-
Filesize
208KB
MD5250321226bbc2a616d91e1c82cb4ab2b
SHA17cffd0b2e9c842865d8961386ab8fcfac8d04173
SHA256ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d
SHA512bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1
-
Filesize
349B
MD55501784f9d129c6ea19346e71c4ce741
SHA1687d80c0adcfbd22a48b6bdd0c1cfa613c0c5f9f
SHA256205214420ad4ff2b7a4557bca09610e32cfd7d662282f52a5ad2c4dfe087e70d
SHA512dbd3a93908762e1bc54601bee6d1075ddc9873939d7d8895064b8aa160af1d93c79a591dc8e9b2f49f2080582b61c913662c7d1e8dffa43cae8d6a20b23775d6