Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-02-2024 10:46
Static task
static1
Behavioral task
behavioral1
Sample
a1ac900ec5e97852d7d4210a419f005e.exe
Resource
win7-20240221-en
General
-
Target
a1ac900ec5e97852d7d4210a419f005e.exe
-
Size
2.0MB
-
MD5
a1ac900ec5e97852d7d4210a419f005e
-
SHA1
3a30fb4bb14cbe13ae8feca679952af098bdcd91
-
SHA256
41fee2ac0816763adeeea287e43c07a24d35af788e24a46afd81d6a9f7c6afdb
-
SHA512
d7687210be3a7b893b6ee96351e11eda619582658d61975bd8d2da6956d6e76f5a1d0c057ed6ad0b56675b1cdabf7b1ed9d4bb5b183032156d8d25bd97b6ef20
-
SSDEEP
49152:3c9TQ0g5M9mUTEV3iPnjb8DC6u9s/ZQQB4udeOJkwAb:MdQ0v9mU4SsDpu9CObOJhAb
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32 .exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32 .exe cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
a1ac900ec5e97852d7d4210a419f005e.exepid process 1876 a1ac900ec5e97852d7d4210a419f005e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a1ac900ec5e97852d7d4210a419f005e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe" a1ac900ec5e97852d7d4210a419f005e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a1ac900ec5e97852d7d4210a419f005e.exepid process 1876 a1ac900ec5e97852d7d4210a419f005e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a1ac900ec5e97852d7d4210a419f005e.exedescription pid process Token: SeDebugPrivilege 1876 a1ac900ec5e97852d7d4210a419f005e.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
a1ac900ec5e97852d7d4210a419f005e.execmd.exewscript.exedescription pid process target process PID 1876 wrote to memory of 2536 1876 a1ac900ec5e97852d7d4210a419f005e.exe cmd.exe PID 1876 wrote to memory of 2536 1876 a1ac900ec5e97852d7d4210a419f005e.exe cmd.exe PID 1876 wrote to memory of 2536 1876 a1ac900ec5e97852d7d4210a419f005e.exe cmd.exe PID 1876 wrote to memory of 2536 1876 a1ac900ec5e97852d7d4210a419f005e.exe cmd.exe PID 2536 wrote to memory of 2684 2536 cmd.exe wscript.exe PID 2536 wrote to memory of 2684 2536 cmd.exe wscript.exe PID 2536 wrote to memory of 2684 2536 cmd.exe wscript.exe PID 2536 wrote to memory of 2684 2536 cmd.exe wscript.exe PID 1876 wrote to memory of 2560 1876 a1ac900ec5e97852d7d4210a419f005e.exe svhost.exe PID 1876 wrote to memory of 2560 1876 a1ac900ec5e97852d7d4210a419f005e.exe svhost.exe PID 1876 wrote to memory of 2560 1876 a1ac900ec5e97852d7d4210a419f005e.exe svhost.exe PID 1876 wrote to memory of 2560 1876 a1ac900ec5e97852d7d4210a419f005e.exe svhost.exe PID 1876 wrote to memory of 2560 1876 a1ac900ec5e97852d7d4210a419f005e.exe svhost.exe PID 1876 wrote to memory of 2560 1876 a1ac900ec5e97852d7d4210a419f005e.exe svhost.exe PID 1876 wrote to memory of 2560 1876 a1ac900ec5e97852d7d4210a419f005e.exe svhost.exe PID 1876 wrote to memory of 2560 1876 a1ac900ec5e97852d7d4210a419f005e.exe svhost.exe PID 1876 wrote to memory of 2560 1876 a1ac900ec5e97852d7d4210a419f005e.exe svhost.exe PID 2684 wrote to memory of 2908 2684 wscript.exe cmd.exe PID 2684 wrote to memory of 2908 2684 wscript.exe cmd.exe PID 2684 wrote to memory of 2908 2684 wscript.exe cmd.exe PID 2684 wrote to memory of 2908 2684 wscript.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1ac900ec5e97852d7d4210a419f005e.exe"C:\Users\Admin\AppData\Local\Temp\a1ac900ec5e97852d7d4210a419f005e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\caca.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\caca2.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\caca2.bat" "4⤵
- Drops startup file
-
C:\Windows\Temp\svhost.exeC:\Windows\Temp\svhost.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\caca.batFilesize
47B
MD558ccb87aa1da4939df403810f1e68b6b
SHA1dc8551f41682e5cb1dd25af3f11a789b1d37b295
SHA256eccc9f27214ff49689c1f597c0d3d3a3e45391064fd0baa9b5e0e03931b7822b
SHA51217ad698f496a445c5cbd0972df9fe966081a3cbee33fb7d7e003890ae946c65687b85b9b16990a872338d00d798b82dee06e86bd2d38b01ad292048134688fd0
-
C:\Users\Admin\AppData\Local\Temp\caca2.batFilesize
151B
MD5ed28c618f7d8306e3736432b58bb5d27
SHA1441e6dab70e31d9c599fcd9e2d32009038781b42
SHA256d9aa03911260779b1f8a9b046a7ecf7aa87b0f13c762491fe8e06c482bac09a3
SHA5124257d8839e881a9ab6de6230a9df1e81456cb796eb9ee2361789fa5fe4c81b297ed1c472f91d97bb0b2ebdb6acadb924617e6ffd32fc96d8ddcebf8fee4a7880
-
C:\Users\Admin\AppData\Local\Temp\invs.vbsFilesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
C:\Users\Admin\AppData\Local\Temp\rundll32 .exeFilesize
1.1MB
MD5cb55e0ed2748f58327eda61eeda28ec0
SHA16c093455cd16564c1d473fe613c2e97a622a1275
SHA2561eac1de893e00983197d7667570851bea15604ab2ccb013cba1fcb169a0d606e
SHA5123b8cfc1059307f6b608688a7cb744a5950f8e97ee0f5791530a084c0bfe8fcce5cb63ada56123fb126f36498ad9de5c0170bdea524ed4644446aeee4769f87a2
-
C:\Users\Admin\AppData\Local\Temp\rundll32-.txtFilesize
2.0MB
MD5a1ac900ec5e97852d7d4210a419f005e
SHA13a30fb4bb14cbe13ae8feca679952af098bdcd91
SHA25641fee2ac0816763adeeea287e43c07a24d35af788e24a46afd81d6a9f7c6afdb
SHA512d7687210be3a7b893b6ee96351e11eda619582658d61975bd8d2da6956d6e76f5a1d0c057ed6ad0b56675b1cdabf7b1ed9d4bb5b183032156d8d25bd97b6ef20
-
\Windows\Temp\svhost.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
memory/1876-0-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/1876-2-0x0000000002060000-0x00000000020A0000-memory.dmpFilesize
256KB
-
memory/1876-1-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/1876-40-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/1876-41-0x0000000002060000-0x00000000020A0000-memory.dmpFilesize
256KB
-
memory/2560-22-0x0000000000400000-0x000000000044D000-memory.dmpFilesize
308KB
-
memory/2560-25-0x0000000000400000-0x000000000044D000-memory.dmpFilesize
308KB
-
memory/2560-26-0x0000000000400000-0x000000000044D000-memory.dmpFilesize
308KB
-
memory/2560-28-0x0000000000400000-0x000000000044D000-memory.dmpFilesize
308KB
-
memory/2560-32-0x0000000000400000-0x000000000044D000-memory.dmpFilesize
308KB
-
memory/2560-30-0x0000000000400000-0x000000000044D000-memory.dmpFilesize
308KB