Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2024, 23:27
Static task
static1
Behavioral task
behavioral1
Sample
97e417403ea1f782b2c83718a1e3394a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
97e417403ea1f782b2c83718a1e3394a.exe
Resource
win10v2004-20231215-en
General
-
Target
97e417403ea1f782b2c83718a1e3394a.exe
-
Size
148KB
-
MD5
97e417403ea1f782b2c83718a1e3394a
-
SHA1
24a7768bd1834d5a37a6cbdc6fa7c065d77dfbb0
-
SHA256
28b43ea6edbb5f2a043a4416c1733deb3c1e9f441b03fff42c8548a77d92fdd2
-
SHA512
4a606b9c8e9ce882f54fe3e3f5094acacc73b87090f9a444ba297d578feb18f984f32a42d4cc33b6ed29cfae8c489bf0410043b213239d975ff1984eff62abfa
-
SSDEEP
3072:BKyld6svhIS4zxu9lX2QhfnoZACG8scHj0M84bLrF:wQd6pxumIoiCG/5M/d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4040 nopdb.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ieuu = "\"C:\\Windows\\SSTEM~1\\nopdb.exe\" -vt ndrv" 97e417403ea1f782b2c83718a1e3394a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ieuu = "\"C:\\Windows\\SSTEM~1\\nopdb.exe\" -vt ndrv" nopdb.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SSTEM~1\nopdb.exe 97e417403ea1f782b2c83718a1e3394a.exe File created C:\Windows\SSTEM~1\nopdb.exe 97e417403ea1f782b2c83718a1e3394a.exe File opened for modification C:\Windows\SSTEM~1\nopdb.exe nopdb.exe File created C:\Windows\SSTEM~1\nopdb.exe nopdb.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4080 wrote to memory of 4040 4080 97e417403ea1f782b2c83718a1e3394a.exe 84 PID 4080 wrote to memory of 4040 4080 97e417403ea1f782b2c83718a1e3394a.exe 84 PID 4080 wrote to memory of 4040 4080 97e417403ea1f782b2c83718a1e3394a.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\97e417403ea1f782b2c83718a1e3394a.exe"C:\Users\Admin\AppData\Local\Temp\97e417403ea1f782b2c83718a1e3394a.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SSTEM~1\nopdb.exeC:\Windows\SSTEM~1\nopdb.exe -vt ndrv2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:4040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD597e417403ea1f782b2c83718a1e3394a
SHA124a7768bd1834d5a37a6cbdc6fa7c065d77dfbb0
SHA25628b43ea6edbb5f2a043a4416c1733deb3c1e9f441b03fff42c8548a77d92fdd2
SHA5124a606b9c8e9ce882f54fe3e3f5094acacc73b87090f9a444ba297d578feb18f984f32a42d4cc33b6ed29cfae8c489bf0410043b213239d975ff1984eff62abfa