5c877175974a5fd36d27ce10fc0ca70aa20555779c6098b19d35431575f57dc0

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 20:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a2b63d9a2848033bc8f0bfeb3cbeacd2.exe
Size

332KB
MD5

a2b63d9a2848033bc8f0bfeb3cbeacd2
SHA1

d802296f700432f7da660840fe19f2c82a1ed6db
SHA256

5c877175974a5fd36d27ce10fc0ca70aa20555779c6098b19d35431575f57dc0
SHA512

2ce892a16e40d48e4122989efc3fc8b7d844109e94f1141a82f309081eae9e7437ddbbc13c5d4e38ced75a07c8071835a796c91306bf4b2cbb7a229409e56485
SSDEEP

6144:3cWMJJhqryYP/daqmhzya865UMlFSwJ91gVMHTBYcSojEVWS5IvaIr:3czJJhqrVPlKwaoMlEmuKTBFljq5KaIr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2324	123.exe
2564	asd.exe
2532	asd.exe
2432	nvvtray.exe

Loads dropped DLL 10 IoCs

pid	Process
2212	a2b63d9a2848033bc8f0bfeb3cbeacd2.exe
2212	a2b63d9a2848033bc8f0bfeb3cbeacd2.exe
2212	a2b63d9a2848033bc8f0bfeb3cbeacd2.exe
2564	asd.exe
2532	asd.exe
2532	asd.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2564 set thread context of 2532	2564	asd.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2916	2432	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2432	nvvtray.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	asd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2324	123.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2324	2212	a2b63d9a2848033bc8f0bfeb3cbeacd2.exe	28
PID 2212 wrote to memory of 2324	2212	a2b63d9a2848033bc8f0bfeb3cbeacd2.exe	28
PID 2212 wrote to memory of 2324	2212	a2b63d9a2848033bc8f0bfeb3cbeacd2.exe	28
PID 2212 wrote to memory of 2324	2212	a2b63d9a2848033bc8f0bfeb3cbeacd2.exe	28
PID 2212 wrote to memory of 2324	2212	a2b63d9a2848033bc8f0bfeb3cbeacd2.exe	28
PID 2212 wrote to memory of 2324	2212	a2b63d9a2848033bc8f0bfeb3cbeacd2.exe	28
PID 2212 wrote to memory of 2324	2212	a2b63d9a2848033bc8f0bfeb3cbeacd2.exe	28
PID 2212 wrote to memory of 2564	2212	a2b63d9a2848033bc8f0bfeb3cbeacd2.exe	29
PID 2212 wrote to memory of 2564	2212	a2b63d9a2848033bc8f0bfeb3cbeacd2.exe	29
PID 2212 wrote to memory of 2564	2212	a2b63d9a2848033bc8f0bfeb3cbeacd2.exe	29
PID 2212 wrote to memory of 2564	2212	a2b63d9a2848033bc8f0bfeb3cbeacd2.exe	29
PID 2212 wrote to memory of 2564	2212	a2b63d9a2848033bc8f0bfeb3cbeacd2.exe	29
PID 2212 wrote to memory of 2564	2212	a2b63d9a2848033bc8f0bfeb3cbeacd2.exe	29
PID 2212 wrote to memory of 2564	2212	a2b63d9a2848033bc8f0bfeb3cbeacd2.exe	29
PID 2564 wrote to memory of 2532	2564	asd.exe	30
PID 2564 wrote to memory of 2532	2564	asd.exe	30
PID 2564 wrote to memory of 2532	2564	asd.exe	30
PID 2564 wrote to memory of 2532	2564	asd.exe	30
PID 2564 wrote to memory of 2532	2564	asd.exe	30
PID 2564 wrote to memory of 2532	2564	asd.exe	30
PID 2564 wrote to memory of 2532	2564	asd.exe	30
PID 2564 wrote to memory of 2532	2564	asd.exe	30
PID 2564 wrote to memory of 2532	2564	asd.exe	30
PID 2564 wrote to memory of 2532	2564	asd.exe	30
PID 2564 wrote to memory of 2532	2564	asd.exe	30
PID 2564 wrote to memory of 2532	2564	asd.exe	30
PID 2564 wrote to memory of 2532	2564	asd.exe	30
PID 2564 wrote to memory of 2532	2564	asd.exe	30
PID 2532 wrote to memory of 2432	2532	asd.exe	31
PID 2532 wrote to memory of 2432	2532	asd.exe	31
PID 2532 wrote to memory of 2432	2532	asd.exe	31
PID 2532 wrote to memory of 2432	2532	asd.exe	31
PID 2532 wrote to memory of 2432	2532	asd.exe	31
PID 2532 wrote to memory of 2432	2532	asd.exe	31
PID 2532 wrote to memory of 2432	2532	asd.exe	31
PID 2432 wrote to memory of 2916	2432	nvvtray.exe	32
PID 2432 wrote to memory of 2916	2432	nvvtray.exe	32
PID 2432 wrote to memory of 2916	2432	nvvtray.exe	32
PID 2432 wrote to memory of 2916	2432	nvvtray.exe	32
PID 2432 wrote to memory of 2916	2432	nvvtray.exe	32
PID 2432 wrote to memory of 2916	2432	nvvtray.exe	32
PID 2432 wrote to memory of 2916	2432	nvvtray.exe	32

C:\Users\Admin\AppData\Local\Temp\a2b63d9a2848033bc8f0bfeb3cbeacd2.exe
"C:\Users\Admin\AppData\Local\Temp\a2b63d9a2848033bc8f0bfeb3cbeacd2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\123.exe
  "C:\Users\Admin\AppData\Local\Temp\123.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\asd.exe
  "C:\Users\Admin\AppData\Local\Temp\asd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\asd.exe
    C:\Users\Admin\AppData\Local\Temp\asd.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\nvvtray.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\nvvtray.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 288
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\123.exe

Filesize
192KB

MD5
5df4e8b151a05274d306c6bd7942a8a6

SHA1
bf479df93267a7a99d362a7112ba8502caaee82d

SHA256
8f58ba603158fc1391b8c92fa3ad7c3b112339992ab9bec90aac56098d14a2bd

SHA512
55fd940a83d873009eba91fdd80a0009e189cead18ec9e3161e7c6f348a9505ebbe97b76d8abcd720308e1734ef817d0f549f86993a3ef95b6a315b0d761b787

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.exe

Filesize
223KB

MD5
5f4fd60cf307bfe3fe96f15a78d9491b

SHA1
fdd3e72f32a3c492542561067a0d0c7a36c23231

SHA256
b91f3dbe59631b9d633903aeeb829dd56e4761a51be2dfa7fffe5f999c7cb0c4

SHA512
aaae69797a2ed089f53fecabc623b08c51e8ebcb35dd91b774e008ee41e23665943a668795e13cbd1ae2fe0b48d325201cd682bc7817aaae463a061f3e5ece3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Language\English.lang

Filesize
2KB

MD5
63d8d7d597bc262644d9147bd4983e32

SHA1
18d08e1b59af89b02a94f668b7102d9851178410

SHA256
32cb2a88ab9d41d10575932947bdf8d7980ba1f3c7c9518f9a6167fceb49d7bf

SHA512
9cb69feb0ad2d773115df65da61a467b2e89fbe390121a785567bb85459c965a191cfc75b077c32424109e315dba5c6ef3606356885c6abae0b67cf53421c1ad

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\nvvtray.exe

Filesize
149KB

MD5
a7dd480cdc17bc47ec399f88aa8111c5

SHA1
ba6654510ad2062ee4df005db8a459cceda7045c

SHA256
178277dfd6da00067eedbe1241472f6aa1c6fb99efb1c248afc19df8ab0b861f

SHA512
dca5091058ae7bb4b6dcefe958b4805dc052f97943c04730e115d82b22f058d714a54cb66fdfedb25ba262ee30cf679a974bc1c3551d9eb80906691cdfeb6e4a

Download Submit
\Users\Admin\AppData\Local\Temp\123.exe

Filesize
64KB

MD5
d4740ab91d1912aa71747e618c71b9c4

SHA1
53cc8a508ec1fb1f517425b6391b29406a2af29b

SHA256
b2fc9bd2597ce89a4f4cb1d4a10c1adada772a78f0fb129560ea0679b686a0c5

SHA512
f38f9076c303ee6e557e07c029c9097973bf80938003870b62b9d0b46f6955a6a8ae920648097c13f1cfdd8f7b29532680dffd279ff148f2c787ad49eca10964

Download Submit
\Users\Admin\AppData\Local\Temp\123.exe

Filesize
256KB

MD5
2443767bf0a1d8a910ddbb66a986a45f

SHA1
f6cad14b4a3071d9cf741215d6df2503eb3b7502

SHA256
e88eb18d2bb39ce3d7d3f832d4bd31f2e42d3b0a2bbbb31ec2a66768dc55bcb6

SHA512
e1c88306191337089f5aaf46b9467ca7fd2f6596230defa4db07d29e6f8e8f435b3bf6cb8ba59ea46fe7e86bf76217f52d5e45d51932702e5a10908daa84df07

Download Submit
\Users\Admin\AppData\Local\Temp\asd.exe

Filesize
250KB

MD5
02eb637e08b5466caef64698cae0b1e2

SHA1
c1718e569d3305103890eeb0a1fe38d587f657f9

SHA256
b28c73d69d32272a4c6b507796794381a991550b742089fddf6ea4b6e9ee20d8

SHA512
370317f3d615fcd404f535bdf2bf2880cf2087835b1b121988b146b4a1fb4ea5c71ad02e591113d554e09340d795cfe499b561c6487852a73237f137fa61f3c4

Download Submit
memory/2432-61-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2532-42-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2532-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2532-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2532-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2532-36-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2532-38-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2532-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2532-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2532-47-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2532-45-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2564-46-0x0000000073D70000-0x000000007431B000-memory.dmp

Filesize
5.7MB

Download
memory/2564-26-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/2564-25-0x0000000073D70000-0x000000007431B000-memory.dmp

Filesize
5.7MB

Download
memory/2564-24-0x0000000073D70000-0x000000007431B000-memory.dmp

Filesize
5.7MB

Download