Analysis
-
max time kernel
143s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2024, 02:40
Static task
static1
Behavioral task
behavioral1
Sample
96074841b8dd8bb15f3a9859bba79e7c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
96074841b8dd8bb15f3a9859bba79e7c.exe
Resource
win10v2004-20231215-en
General
-
Target
96074841b8dd8bb15f3a9859bba79e7c.exe
-
Size
4.3MB
-
MD5
96074841b8dd8bb15f3a9859bba79e7c
-
SHA1
4df22c0a4ffebb94cfb878f91b6d9c455554c234
-
SHA256
ad6f1c3320c9147a178daedcde6d77896ca4d60ec3b113be0eea10b5d38770c3
-
SHA512
3c5c3f443deff2d289b16ad31af2c5b9f679e23e579502a0246b3c8a93bf2f50cd93e90a45d0f3d89c01d3625bdadf7f07a6c44dd55e9939e0dfcad1c48878f4
-
SSDEEP
98304:D3ga98rEvBBBBBBBqBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBd:D3Go
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2240 Services.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\WINDOWS\\system32\\winsp II\\Services.exe /nosplash" 96074841b8dd8bb15f3a9859bba79e7c.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\WINDOWS\\SysWOW64\\winsp II\\Services.exe" Services.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\96074841b8dd8bb15f3a9859bba79e7c.exe" 96074841b8dd8bb15f3a9859bba79e7c.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\winsp II\Services.exe 96074841b8dd8bb15f3a9859bba79e7c.exe File opened for modification C:\WINDOWS\SysWOW64\winsp II\ Services.exe File opened for modification C:\WINDOWS\SysWOW64\winsp II\Services.exe Services.exe File opened for modification C:\WINDOWS\SysWOW64\winsp II\ 96074841b8dd8bb15f3a9859bba79e7c.exe File opened for modification C:\WINDOWS\SysWOW64\winsp II\Services.exe 96074841b8dd8bb15f3a9859bba79e7c.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2240 Services.exe 2240 Services.exe 2240 Services.exe 2240 Services.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2240 2100 96074841b8dd8bb15f3a9859bba79e7c.exe 83 PID 2100 wrote to memory of 2240 2100 96074841b8dd8bb15f3a9859bba79e7c.exe 83 PID 2100 wrote to memory of 2240 2100 96074841b8dd8bb15f3a9859bba79e7c.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\96074841b8dd8bb15f3a9859bba79e7c.exe"C:\Users\Admin\AppData\Local\Temp\96074841b8dd8bb15f3a9859bba79e7c.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\WINDOWS\SysWOW64\winsp II\Services.exe"C:\WINDOWS\system32\winsp II\Services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD596074841b8dd8bb15f3a9859bba79e7c
SHA14df22c0a4ffebb94cfb878f91b6d9c455554c234
SHA256ad6f1c3320c9147a178daedcde6d77896ca4d60ec3b113be0eea10b5d38770c3
SHA5123c5c3f443deff2d289b16ad31af2c5b9f679e23e579502a0246b3c8a93bf2f50cd93e90a45d0f3d89c01d3625bdadf7f07a6c44dd55e9939e0dfcad1c48878f4