Overview

overview

8

Static

static

3

ad9af3371c...4d.exe

windows7-x64

8

ad9af3371c...4d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/02/2024, 03:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ad9af3371c3dfd5314342e3b3757494d.exe

  • Size

    4KB

  • MD5

    ad9af3371c3dfd5314342e3b3757494d

  • SHA1

    145db4d30904f2d76b41efa689c7fcf9a21ece7f

  • SHA256

    7ba917d53b989bf4ab2731c4fbbe78dfbf7e04ddd58a011e52fdcb86ca929222

  • SHA512

    87ad9b802ab1aa634083232f41c5e9bb904deb150b1155f7c8b733fee539932514d25d6c2e45d321c78bf565a568aa9293820e8ac61ca491347f3ce6ff528e44

  • SSDEEP

    48:a6pBA188CevVemz5bESso1ii7wtYpstXplsTZ2j+holIIToqM/mthvGowRl/7hxB:hc18STQaii7/pobsW+KGIlsvBphX2

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 6 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad9af3371c3dfd5314342e3b3757494d.exe
    "C:\Users\Admin\AppData\Local\Temp\ad9af3371c3dfd5314342e3b3757494d.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4008
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
        PID:1904
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c delas.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4464
        • C:\Windows\SysWOW64\inetsrv\svchost.exe
          C:\Windows\system32\inetsrv\svchost.exe
          3⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:3856
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2844
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c delas.bat
              4⤵
                PID:1040

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\delas.bat
                Filesize

                100B

                MD5

                638bf1e292c2f677d4b8ad02a82c92bf

                SHA1

                ae4fc049718d1080acedf22bc09d5bb6ca9ff02c

                SHA256

                59b2b243060eae6ee9d73fc1c3613b00121823a0aa2d55bb8c1b7315cd95ccde

                SHA512

                42b8461eb5894ed48493e0eaf1007d6236af87043bfc173333623fca51314df83d67e120a0d5bf1e10d28111ba035090eef8b57d2622dd68f9c8705a66fd24b4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\delas.bat
                Filesize

                131B

                MD5

                3339e31bcb4a5125b84f110076c4d10b

                SHA1

                31d29dd380cd426714ff57ebd3f8c76e7ead41b8

                SHA256

                eac22da7324489fe79fb20c9ba41823a4f3f48b14bdeef6be220d74802dc213c

                SHA512

                5983b3257021a633847b5871df83bbd1a853c48facdb1b87a0dd08e8c0967905e12e5a0f01191d5a8f58a216e1369e9c16bdf7f09f0b7ba5ffa23c45e99c4d92

                Download Submit

              • C:\Windows\SysWOW64\inetsrv\start.vbs
                Filesize

                112B

                MD5

                b1d9ca5c82b90fe4037c189ba50efa1e

                SHA1

                f55e234934271d4633ab04e01cf40936bc539f2e

                SHA256

                1be457ee2d173dd2dac772a484f762cbb405fdd72133c1651fe0a61424377f0a

                SHA512

                38e4f3d54de3ffa3d115ba5e0aa81d37fa1761030f9685b779be48f5d57cc50646b3a9cd7e4af06411d732843e3ff246cede7643497312a099ce6113fd846d8d

                Download Submit

              • C:\Windows\SysWOW64\inetsrv\svchost.exe
                Filesize

                4KB

                MD5

                ad9af3371c3dfd5314342e3b3757494d

                SHA1

                145db4d30904f2d76b41efa689c7fcf9a21ece7f

                SHA256

                7ba917d53b989bf4ab2731c4fbbe78dfbf7e04ddd58a011e52fdcb86ca929222

                SHA512

                87ad9b802ab1aa634083232f41c5e9bb904deb150b1155f7c8b733fee539932514d25d6c2e45d321c78bf565a568aa9293820e8ac61ca491347f3ce6ff528e44

                Download Submit

              • memory/3856-12-0x0000000000400000-0x0000000000404000-memory.dmp

                Filesize

                16KB

                Download

              • memory/3856-15-0x0000000000400000-0x0000000000404000-memory.dmp

                Filesize

                16KB

                Download

              • memory/4008-0-0x0000000000400000-0x0000000000404000-memory.dmp

                Filesize

                16KB

                Download

              • memory/4008-5-0x0000000000400000-0x0000000000404000-memory.dmp

                Filesize

                16KB

                Download