Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 21:58
Static task
static1
Behavioral task
behavioral1
Sample
aa428ff0019adadd688d0e1460f62ad8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aa428ff0019adadd688d0e1460f62ad8.exe
Resource
win10v2004-20240226-en
General
-
Target
aa428ff0019adadd688d0e1460f62ad8.exe
-
Size
152KB
-
MD5
aa428ff0019adadd688d0e1460f62ad8
-
SHA1
ef676a63d193f497076ee1c8cf106e2cfa910380
-
SHA256
4f5e06b5c32fa53acae1e10bf68a01ce41dd546d4356aeabedacedb25ea55cc2
-
SHA512
08d0202f7dc0eb08e6f407c55ddc15321745f6637fcf34d8f125faa6835401edf05015b4e16214ffc8d1cc95271ddcceb4d41f6c044b6c03482478c3fd59486a
-
SSDEEP
3072:b1dlKwgj23+Oz05YoNozBI4b81QxTkMXfFPB4w19:b1dlZro5yqQxwmf92g
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2600 LD-EDITOR.exe 2112 server.exe -
Loads dropped DLL 4 IoCs
pid Process 2256 aa428ff0019adadd688d0e1460f62ad8.exe 2256 aa428ff0019adadd688d0e1460f62ad8.exe 2256 aa428ff0019adadd688d0e1460f62ad8.exe 2256 aa428ff0019adadd688d0e1460f62ad8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2112 server.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2600 LD-EDITOR.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2600 2256 aa428ff0019adadd688d0e1460f62ad8.exe 28 PID 2256 wrote to memory of 2600 2256 aa428ff0019adadd688d0e1460f62ad8.exe 28 PID 2256 wrote to memory of 2600 2256 aa428ff0019adadd688d0e1460f62ad8.exe 28 PID 2256 wrote to memory of 2600 2256 aa428ff0019adadd688d0e1460f62ad8.exe 28 PID 2256 wrote to memory of 2112 2256 aa428ff0019adadd688d0e1460f62ad8.exe 29 PID 2256 wrote to memory of 2112 2256 aa428ff0019adadd688d0e1460f62ad8.exe 29 PID 2256 wrote to memory of 2112 2256 aa428ff0019adadd688d0e1460f62ad8.exe 29 PID 2256 wrote to memory of 2112 2256 aa428ff0019adadd688d0e1460f62ad8.exe 29 PID 2112 wrote to memory of 1192 2112 server.exe 12 PID 2112 wrote to memory of 1192 2112 server.exe 12 PID 2112 wrote to memory of 1192 2112 server.exe 12 PID 2112 wrote to memory of 1192 2112 server.exe 12 PID 2112 wrote to memory of 1192 2112 server.exe 12 PID 2112 wrote to memory of 1192 2112 server.exe 12
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\aa428ff0019adadd688d0e1460f62ad8.exe"C:\Users\Admin\AppData\Local\Temp\aa428ff0019adadd688d0e1460f62ad8.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Extracted\LD-EDITOR.exe"C:\Extracted\LD-EDITOR.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2600
-
-
C:\Extracted\server.exe"C:\Extracted\server.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214B
MD5864192ae3616161af4895b6474f5f972
SHA1387e915d0d7c89400fac00a52170dd5a76f8007f
SHA256fdcda52ffd834f2a48e4cfd5823a349986440f934de372a09b6728e0415d984b
SHA5127afe3cdad8e480bc70cfca48eaa7f591751f56ef4f9b60890ff6fcf2b27bab87362fe99e19fa8fcaf78951c316330e0e0be6999ec85df7a68d927bd3aacbe4c4
-
Filesize
40KB
MD5df272b8e62917668511b6b2b00b6db84
SHA14ab2229aace98561c98bc13088c7418ecf638907
SHA25603709c2b32c4e19e474c20e911359a6047fbc563cc997bd6304fb91e76b28d38
SHA5124a17edb0858dbb1564eaba0850e72161c8c076478ff71584ec8f5969eddf1cc142388c7e4fe7d707506f5fe685edc76d5d4bfb4366339b184f71c263f52f7511
-
Filesize
63KB
MD5b129f675a0cba74d6a39624b08354c80
SHA18a6500eff9dc05d2e46cc929762b07b8f8aad665
SHA256a359002f011fa5579482626fdb6a0dd3fad8e9905f6e17f914adbe1c952aa2b7
SHA512cbc58670027e459b6b55ee9afd666dc20d210d519dd37a8bad55b0b7fbe64250d365426428ab2537fca833c85ec04bb7771e790e524ee948544066cfa645dab2