Analysis
-
max time kernel
119s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 02:57
Behavioral task
behavioral1
Sample
aa3d0852067bd1fd257472f5af3c2b17.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aa3d0852067bd1fd257472f5af3c2b17.exe
Resource
win10v2004-20240226-en
General
-
Target
aa3d0852067bd1fd257472f5af3c2b17.exe
-
Size
564KB
-
MD5
aa3d0852067bd1fd257472f5af3c2b17
-
SHA1
8d974d97d8f595f3514312fd38e91673fc1154ce
-
SHA256
56cfb7b5579b036bbb080149dd5bfdb6dfa1ed68c9c630f487549d4adb05c242
-
SHA512
ab7d212520dba64cc89e1e3976905edfe2f84b9a9195aa96af3d0920e3ca738a7814c79cddd9f7fbc17be5304627fd6881a7ef3b872cdeb5c61b8dd55a7a9bcd
-
SSDEEP
12288:kaTYg3j932XwPDh3evCgso/zLW5E1/boCvZSnO5v5n9LOTdENm:tTY0j991JkC5E1/ECxSU5n9+EE
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2564 WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 2956 76ZIHMEZJI.sys -
Loads dropped DLL 5 IoCs
pid Process 2324 aa3d0852067bd1fd257472f5af3c2b17.exe 2324 aa3d0852067bd1fd257472f5af3c2b17.exe 2532 WerFault.exe 2532 WerFault.exe 2532 WerFault.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Fonts\76ZIHMEZJI.sys aa3d0852067bd1fd257472f5af3c2b17.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2532 2956 WerFault.exe 28 -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2324 aa3d0852067bd1fd257472f5af3c2b17.exe 2324 aa3d0852067bd1fd257472f5af3c2b17.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2956 2324 aa3d0852067bd1fd257472f5af3c2b17.exe 28 PID 2324 wrote to memory of 2956 2324 aa3d0852067bd1fd257472f5af3c2b17.exe 28 PID 2324 wrote to memory of 2956 2324 aa3d0852067bd1fd257472f5af3c2b17.exe 28 PID 2324 wrote to memory of 2956 2324 aa3d0852067bd1fd257472f5af3c2b17.exe 28 PID 2956 wrote to memory of 2532 2956 76ZIHMEZJI.sys 29 PID 2956 wrote to memory of 2532 2956 76ZIHMEZJI.sys 29 PID 2956 wrote to memory of 2532 2956 76ZIHMEZJI.sys 29 PID 2956 wrote to memory of 2532 2956 76ZIHMEZJI.sys 29 PID 2324 wrote to memory of 2564 2324 aa3d0852067bd1fd257472f5af3c2b17.exe 30 PID 2324 wrote to memory of 2564 2324 aa3d0852067bd1fd257472f5af3c2b17.exe 30 PID 2324 wrote to memory of 2564 2324 aa3d0852067bd1fd257472f5af3c2b17.exe 30 PID 2324 wrote to memory of 2564 2324 aa3d0852067bd1fd257472f5af3c2b17.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe"C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\Fonts\76ZIHMEZJI.sysC:\Windows\Fonts\\76ZIHMEZJI.sys2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 363⤵
- Loads dropped DLL
- Program crash
PID:2532
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
- Deletes itself
PID:2564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220B
MD5a027919e332b58969f064e8da9155a4d
SHA10ecf2b41e09461983b4a6f4b325442cb958fb2e9
SHA2568269e89541f3cd23aca5798682a98815162a6bef4394b1c988d42e5c8b1522f7
SHA512851cb81bbf8f51fc35e432c920abc52d58934f4d799aef1b31095c9dea1efcd926dbed8aeededfc5774a389f4d88c27af143d90e7a8f4546978f9b57973aa803
-
Filesize
720KB
MD5a7008ec876370b1fef6b9a594ffd1009
SHA146774968567c74145dcc8b15f6b127547e90a581
SHA25625572294ebbb1e757b38cdb894e80c7031ca8034afe97fe11d05e3eb27d68574
SHA51287f43cf5951c3c6533e35a70c2d5e1285dacaeff69387e230e458063e356aa0baa1b0ef5f9fdca46b4294f66bde33c96dd079743da0a5a2e92975c3b72bae5bc