d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe
Size

883KB
MD5

e971fbdaaa67de4306e72738e3a10392
SHA1

bac689957e126c88435f22ef0b0df10c3b52e1fc
SHA256

d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b
SHA512

bee73df1600df0184876d86f16193bd8c86353ff2608524debf84fad1a52730dfab91186bea5e89d60338f6ee0f007f2ffe2cd11ec9598d4245a3043a023ca34
SSDEEP

12288:Wj6mRlmDKClMfkrPEBuGKw3f+s2geR3VJgx3ZGBnxxSmOMrXJK45d1b:W2a4KCycrPQIo+aePmx6nxxSm1J11

Score

7^/10

Malware Config

Signatures

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.lnk	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3024	skype.exe

Loads dropped DLL 1 IoCs

pid	Process
2772	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3024 set thread context of 1716	3024	skype.exe	37
PID 1716 set thread context of 1272	1716	AddInProcess32.exe	18
PID 1716 set thread context of 1368	1716	AddInProcess32.exe	38
PID 1368 set thread context of 1272	1368	NAPSTAT.EXE	18

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2664	PING.EXE
2640	PING.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3000	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe
2316	skype.exe
2316	skype.exe
2316	skype.exe
2316	skype.exe
2316	skype.exe
3024	skype.exe
3024	skype.exe
3024	skype.exe
3024	skype.exe
1716	AddInProcess32.exe
1716	AddInProcess32.exe
1716	AddInProcess32.exe
1716	AddInProcess32.exe
1716	AddInProcess32.exe
1716	AddInProcess32.exe
1716	AddInProcess32.exe
1716	AddInProcess32.exe
1368	NAPSTAT.EXE
1368	NAPSTAT.EXE
1368	NAPSTAT.EXE
1368	NAPSTAT.EXE
1368	NAPSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1716	AddInProcess32.exe
1272	Explorer.EXE
1272	Explorer.EXE
1368	NAPSTAT.EXE
1368	NAPSTAT.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3000	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe
Token: SeDebugPrivilege	2316	skype.exe
Token: SeDebugPrivilege	3024	skype.exe
Token: SeDebugPrivilege	1716	AddInProcess32.exe
Token: SeDebugPrivilege	1368	NAPSTAT.EXE

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2316	3000	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe	28
PID 3000 wrote to memory of 2316	3000	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe	28
PID 3000 wrote to memory of 2316	3000	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe	28
PID 3000 wrote to memory of 2316	3000	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe	28
PID 2316 wrote to memory of 2772	2316	skype.exe	31
PID 2316 wrote to memory of 2772	2316	skype.exe	31
PID 2316 wrote to memory of 2772	2316	skype.exe	31
PID 2316 wrote to memory of 2772	2316	skype.exe	31
PID 2772 wrote to memory of 2664	2772	cmd.exe	33
PID 2772 wrote to memory of 2664	2772	cmd.exe	33
PID 2772 wrote to memory of 2664	2772	cmd.exe	33
PID 2772 wrote to memory of 2664	2772	cmd.exe	33
PID 2772 wrote to memory of 2640	2772	cmd.exe	34
PID 2772 wrote to memory of 2640	2772	cmd.exe	34
PID 2772 wrote to memory of 2640	2772	cmd.exe	34
PID 2772 wrote to memory of 2640	2772	cmd.exe	34
PID 2772 wrote to memory of 3024	2772	cmd.exe	35
PID 2772 wrote to memory of 3024	2772	cmd.exe	35
PID 2772 wrote to memory of 3024	2772	cmd.exe	35
PID 2772 wrote to memory of 3024	2772	cmd.exe	35
PID 3024 wrote to memory of 268	3024	skype.exe	36
PID 3024 wrote to memory of 268	3024	skype.exe	36
PID 3024 wrote to memory of 268	3024	skype.exe	36
PID 3024 wrote to memory of 268	3024	skype.exe	36
PID 3024 wrote to memory of 268	3024	skype.exe	36
PID 3024 wrote to memory of 268	3024	skype.exe	36
PID 3024 wrote to memory of 268	3024	skype.exe	36
PID 3024 wrote to memory of 1716	3024	skype.exe	37
PID 3024 wrote to memory of 1716	3024	skype.exe	37
PID 3024 wrote to memory of 1716	3024	skype.exe	37
PID 3024 wrote to memory of 1716	3024	skype.exe	37
PID 3024 wrote to memory of 1716	3024	skype.exe	37
PID 3024 wrote to memory of 1716	3024	skype.exe	37
PID 3024 wrote to memory of 1716	3024	skype.exe	37
PID 1272 wrote to memory of 1368	1272	Explorer.EXE	38
PID 1272 wrote to memory of 1368	1272	Explorer.EXE	38
PID 1272 wrote to memory of 1368	1272	Explorer.EXE	38
PID 1272 wrote to memory of 1368	1272	Explorer.EXE	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe
  "C:\Users\Admin\AppData\Local\Temp\d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe"
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\skype.exe
    "C:\Users\Admin\AppData\Local\Temp\skype.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\Admin\AppData\Local\Temp\skype.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"
      4⤵
      Drops startup file
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 12
        5⤵
        Runs ping.exe
        
        PID:2664
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 12
        5⤵
        Runs ping.exe
        
        PID:2640
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        
        PID:268
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe

Filesize
517KB

MD5
97535e286378a48b4167549cbf4e076b

SHA1
5e72e43f06f6d6bfeee9032bdbd761b3190c51b9

SHA256
c1e1d76d5a704e2d11131b75b2076bfc7434ac4277c24187705dcb8d3b864574

SHA512
cd66f0db9d88faf3f205f2de4efe6dea6c38de6ae420d93a58f65a15eefb40ee25e5bd341bbdd15065377a72df30ceba8636b7094250f40d9098a3e0baf58b27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe

Filesize
64KB

MD5
6a6127babd61abba6f74fc96b1b23855

SHA1
ea6f3bc4764f8d1ea0ec84067391ef0a003a8744

SHA256
0dc67b4df6896a7f5bca2a52cdad5761ea685a6d2e39d34b80b4c57919509dd8

SHA512
6f151bd118bf0a36ec077f7035d4592eeecfe2bf335b3d0e7143ff3247ea02b482e8b424dc7a50e75784f41577e98d0dc1c30fc6c72c8710880d17daff96fcac

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe

Filesize
549KB

MD5
2a539860c4a854e5e54d7ca5575d767e

SHA1
2738cd0c609fb833293f09fcd5177e18f4924a28

SHA256
116724be994450cb055d56038c77fc0a8e1192b09a0f3df070d917f86548cb60

SHA512
55024e1ae3f4520542cbff5fbef32e15109d852b5b0368fe7b1facc4dd887f3fb2becadc0b7234a4ae3b2f7eef2fd663feee95f7a9bf09f52a33320fad04cb7b

Download Submit
memory/268-23-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/268-22-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/268-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1272-37-0x0000000008970000-0x000000000A524000-memory.dmp

Filesize
27.7MB

Download
memory/1368-44-0x0000000001D60000-0x0000000001E01000-memory.dmp

Filesize
644KB

Download
memory/1368-43-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1368-42-0x0000000001F50000-0x0000000002253000-memory.dmp

Filesize
3.0MB

Download
memory/1368-39-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1368-38-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1716-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1716-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1716-41-0x00000000001C0000-0x00000000001E2000-memory.dmp

Filesize
136KB

Download
memory/1716-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1716-36-0x00000000001C0000-0x00000000001E2000-memory.dmp

Filesize
136KB

Download
memory/1716-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1716-34-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1716-33-0x0000000000AD0000-0x0000000000DD3000-memory.dmp

Filesize
3.0MB

Download
memory/2316-6-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2316-7-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/2316-8-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/3000-2-0x0000000004E80000-0x0000000004EC0000-memory.dmp

Filesize
256KB

Download
memory/3000-0-0x0000000001210000-0x00000000012F2000-memory.dmp

Filesize
904KB

Download
memory/3000-3-0x00000000005D0000-0x0000000000614000-memory.dmp

Filesize
272KB

Download
memory/3000-1-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/3000-5-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/3024-16-0x00000000010E0000-0x00000000011C2000-memory.dmp

Filesize
904KB

Download
memory/3024-28-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/3024-29-0x0000000000B00000-0x0000000000B40000-memory.dmp

Filesize
256KB

Download
memory/3024-18-0x0000000000B00000-0x0000000000B40000-memory.dmp

Filesize
256KB

Download
memory/3024-32-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/3024-30-0x0000000000B00000-0x0000000000B40000-memory.dmp

Filesize
256KB

Download
memory/3024-17-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/3024-21-0x0000000000B00000-0x0000000000B40000-memory.dmp

Filesize
256KB

Download
memory/3024-20-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/3024-19-0x0000000000670000-0x000000000068A000-memory.dmp

Filesize
104KB

Download