Overview

overview

8

Static

static

3

9c6048ad66...d5.exe

windows7-x64

8

9c6048ad66...d5.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    14-02-2024 18:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9c6048ad660972b8b357e8d8e994edd5.exe

  • Size

    45KB

  • MD5

    9c6048ad660972b8b357e8d8e994edd5

  • SHA1

    da01fc2b475dd2e67035d2dadfed532a6bfa905d

  • SHA256

    cf6c02293622bc5ac57fba38ef2948b9545e4996e98faf068bfeb6a408ef259e

  • SHA512

    22152dad8290c55f4f05d0e5d9cfb3b8994e80b70b487fad0c2b74613374ec047d1c5232479e447df09c9399d1c665e21e678e70ae8c1ea0e74f48015a4fe59e

  • SSDEEP

    768:HZsJIDGQ4AdDIQjPMTa809gX2/DpgW1Gr0udA+mPjy6JmNoa+zYgHFbB41nMaz5D:5WlGDIEI09XVg/dA+mLPJmNoa+EgHI1r

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c6048ad660972b8b357e8d8e994edd5.exe
    "C:\Users\Admin\AppData\Local\Temp\9c6048ad660972b8b357e8d8e994edd5.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\ishost.exe
      C:\Windows\system32\ishost.exe
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Windows\SysWOW64\ismon.exe
        C:\Windows\system32\ismon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1324
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9C6048~1.EXE > nul
      2⤵
      • Deletes itself
      PID:2812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ismon.exe
    Filesize

    5KB

    MD5

    9c483866f9db2a6509eb0c06a4707bea

    SHA1

    68b47d95cc4eabfd8e12abde495bdf29a0572f31

    SHA256

    a4424a6e2bcb12e7063fd61fa88f658fecc88a46435e9d2c3dfa01e347fe1f77

    SHA512

    5f4eb705593d3f67648d4d01e74d11281ab02e4ab7428f17d50f13a11487d3b2ebeea55a34a4dcb0bd4dbad0e23517c4e5dfa57fd31867649760f57771946680

    Download Submit

  • \Windows\SysWOW64\ishost.exe
    Filesize

    27KB

    MD5

    ad12c88d3ffc08b31d3dbd6fe41cf6ad

    SHA1

    b6b996b1e3778ce7d2fe4f30c724736c63cd61e7

    SHA256

    7f5e31da79e7624389b74609e462c87f226dae7c485d635693c3ff8e7a52e54a

    SHA512

    8b47427d7b0c46eff7cc1e1e9ef92225108a218e0a0dfcb9860400ec21ef32bfc2ee9c403d9f1494a63b54fc1518915a720dc2655beb60625c353676970d7f13

    Download Submit