Analysis

  • max time kernel
    119s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/02/2024, 02:57

General

  • Target

    aa3d0852067bd1fd257472f5af3c2b17.exe

  • Size

    564KB

  • MD5

    aa3d0852067bd1fd257472f5af3c2b17

  • SHA1

    8d974d97d8f595f3514312fd38e91673fc1154ce

  • SHA256

    56cfb7b5579b036bbb080149dd5bfdb6dfa1ed68c9c630f487549d4adb05c242

  • SHA512

    ab7d212520dba64cc89e1e3976905edfe2f84b9a9195aa96af3d0920e3ca738a7814c79cddd9f7fbc17be5304627fd6881a7ef3b872cdeb5c61b8dd55a7a9bcd

  • SSDEEP

    12288:kaTYg3j932XwPDh3evCgso/zLW5E1/boCvZSnO5v5n9LOTdENm:tTY0j991JkC5E1/ECxSU5n9+EE

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe
    "C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\Fonts\76ZIHMEZJI.sys
      C:\Windows\Fonts\\76ZIHMEZJI.sys
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 36
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2532
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
      2⤵
      • Deletes itself
      PID:2564

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tem.vbs

          Filesize

          220B

          MD5

          a027919e332b58969f064e8da9155a4d

          SHA1

          0ecf2b41e09461983b4a6f4b325442cb958fb2e9

          SHA256

          8269e89541f3cd23aca5798682a98815162a6bef4394b1c988d42e5c8b1522f7

          SHA512

          851cb81bbf8f51fc35e432c920abc52d58934f4d799aef1b31095c9dea1efcd926dbed8aeededfc5774a389f4d88c27af143d90e7a8f4546978f9b57973aa803

        • \Windows\Fonts\76ZIHMEZJI.sys

          Filesize

          720KB

          MD5

          a7008ec876370b1fef6b9a594ffd1009

          SHA1

          46774968567c74145dcc8b15f6b127547e90a581

          SHA256

          25572294ebbb1e757b38cdb894e80c7031ca8034afe97fe11d05e3eb27d68574

          SHA512

          87f43cf5951c3c6533e35a70c2d5e1285dacaeff69387e230e458063e356aa0baa1b0ef5f9fdca46b4294f66bde33c96dd079743da0a5a2e92975c3b72bae5bc

        • memory/2324-0-0x0000000000400000-0x0000000000565000-memory.dmp

          Filesize

          1.4MB

        • memory/2324-11-0x0000000002020000-0x00000000020E7000-memory.dmp

          Filesize

          796KB

        • memory/2324-8-0x0000000002020000-0x00000000020E7000-memory.dmp

          Filesize

          796KB

        • memory/2324-19-0x0000000000400000-0x0000000000565000-memory.dmp

          Filesize

          1.4MB

        • memory/2956-10-0x0000000000400000-0x00000000004C63E0-memory.dmp

          Filesize

          792KB