Analysis
-
max time kernel
127s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 03:14
Behavioral task
behavioral1
Sample
ad8b768df90e91bc06b78a7efa2beeec.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ad8b768df90e91bc06b78a7efa2beeec.exe
Resource
win10v2004-20240226-en
General
-
Target
ad8b768df90e91bc06b78a7efa2beeec.exe
-
Size
627KB
-
MD5
ad8b768df90e91bc06b78a7efa2beeec
-
SHA1
3bce6c3168bc5263eb63daeaf7b2efe6a77adbb9
-
SHA256
3def1d7a47f90ad389386fbad842bae3ea8fb5957c79d60b4b639e646d9caed0
-
SHA512
843edc0b704e8dd0a7a2fe803fb92ae64b8095d02a8f333ae34b1412cb81039b713802e667311ce915b5d7b02e2b52e17f8e3e1552e13997905f9499281476b7
-
SSDEEP
12288:/kceA/yvZlvZLxl0V+xZSVbS3jW9OC5N+X5roR00k/Gr:/BeZlhFPLsbSJM+XFC09O
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x00070000000120e4-42.dat aspack_v212_v242 behavioral1/files/0x00070000000120e4-53.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 1976 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2500 wdfsdf -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\wdfsdf ad8b768df90e91bc06b78a7efa2beeec.exe File opened for modification C:\Windows\wdfsdf ad8b768df90e91bc06b78a7efa2beeec.exe File created C:\Windows\uninstal.bat ad8b768df90e91bc06b78a7efa2beeec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2872 ad8b768df90e91bc06b78a7efa2beeec.exe Token: SeDebugPrivilege 2500 wdfsdf -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2500 wdfsdf -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2872 wrote to memory of 1976 2872 ad8b768df90e91bc06b78a7efa2beeec.exe 30 PID 2872 wrote to memory of 1976 2872 ad8b768df90e91bc06b78a7efa2beeec.exe 30 PID 2872 wrote to memory of 1976 2872 ad8b768df90e91bc06b78a7efa2beeec.exe 30 PID 2872 wrote to memory of 1976 2872 ad8b768df90e91bc06b78a7efa2beeec.exe 30 PID 2872 wrote to memory of 1976 2872 ad8b768df90e91bc06b78a7efa2beeec.exe 30 PID 2872 wrote to memory of 1976 2872 ad8b768df90e91bc06b78a7efa2beeec.exe 30 PID 2872 wrote to memory of 1976 2872 ad8b768df90e91bc06b78a7efa2beeec.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad8b768df90e91bc06b78a7efa2beeec.exe"C:\Users\Admin\AppData\Local\Temp\ad8b768df90e91bc06b78a7efa2beeec.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat2⤵
- Deletes itself
PID:1976
-
-
C:\Windows\wdfsdfC:\Windows\wdfsdf1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2500
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
436B
MD5de0747ad6ce33224bdf7885adee6a754
SHA1f88029bced21488bb266e3fbb659191750c39508
SHA256ebdfdba5bd19c4c69fb68bda9f4bfadb92836166e3f31b80b2d208d729d7cbbc
SHA5123e0fe097468e14f84470ec1b137fd2ed13590e5a22b359757e463ed50939ff1d390adb374e687a2a4ca92cf32a5612eb39f47e53ec5cac109e0251b9ca1af62a
-
Filesize
627KB
MD5ad8b768df90e91bc06b78a7efa2beeec
SHA13bce6c3168bc5263eb63daeaf7b2efe6a77adbb9
SHA2563def1d7a47f90ad389386fbad842bae3ea8fb5957c79d60b4b639e646d9caed0
SHA512843edc0b704e8dd0a7a2fe803fb92ae64b8095d02a8f333ae34b1412cb81039b713802e667311ce915b5d7b02e2b52e17f8e3e1552e13997905f9499281476b7
-
Filesize
448KB
MD566a3cbc832f7081c3b809be13bede95c
SHA13d17ad19c1684cb7ad495fa384746bb576f21651
SHA25600c4d6c7428ff213579a9afcce3379c5dae821cafe83255d4565db760d8cfee7
SHA5120f926b41a528adf70a07c6be02457360b3e37e2c6763389024f2cf19f604e5f43e7c547523f818b3b580ec2f6aeeabc9d56b4a3e19dfc38152b0d0dd12e6165d