Overview

overview

7

Static

static

3

8634a3db54...79.exe

windows7-x64

7

8634a3db54...79.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    154s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-02-2024 05:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8634a3db542e996337729ffab3913e48633f6422d1cde9a6f743a42a3bf75679.exe

  • Size

    814KB

  • MD5

    daeeb64bc3b2ca69d5062b932d9f5486

  • SHA1

    d958e304dbd45b11f414034799e005510ff2d94d

  • SHA256

    8634a3db542e996337729ffab3913e48633f6422d1cde9a6f743a42a3bf75679

  • SHA512

    6db8fc36dfd4b0ce9c4e15f27c25760cd361f78bffbc8e39796f846f324b58fb90800fe9ca6c1f2e35f415ae7ba880730aeaa4a90621bb1634b7c12e04742d0a

  • SSDEEP

    12288:6JTQdb6aT/+OkC2WOPASrfuhheB0IyXUJW+QiAukU30+9Ir/CSQC:mTQdb6aTfkC2WOIOI4qIwUk+T/G/CA

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8634a3db542e996337729ffab3913e48633f6422d1cde9a6f743a42a3bf75679.exe
    "C:\Users\Admin\AppData\Local\Temp\8634a3db542e996337729ffab3913e48633f6422d1cde9a6f743a42a3bf75679.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Users\Admin\AppData\Local\Temp\8634a3db542e996337729ffab3913e48633f6422d1cde9a6f743a42a3bf75679.exe
      "C:\Users\Admin\AppData\Local\Temp\8634a3db542e996337729ffab3913e48633f6422d1cde9a6f743a42a3bf75679.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2416
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 1060
        3⤵
        • Program crash
        PID:4744
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4432 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2372
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2416 -ip 2416
      1⤵
        PID:1952

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nssBED7.tmp\System.dll
        Filesize

        11KB

        MD5

        2ae993a2ffec0c137eb51c8832691bcb

        SHA1

        98e0b37b7c14890f8a599f35678af5e9435906e1

        SHA256

        681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

        SHA512

        2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nssBED7.tmp\nsExec.dll
        Filesize

        6KB

        MD5

        b648c78981c02c434d6a04d4422a6198

        SHA1

        74d99eed1eae76c7f43454c01cdb7030e5772fc2

        SHA256

        3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

        SHA512

        219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

        Download Submit

      • C:\Windows\hotdoggen.ini
        Filesize

        50B

        MD5

        70345464ba62a9453db2f24c1bc10881

        SHA1

        62fe4814d1b6082b46c196734b9eaf33b9b691bb

        SHA256

        cc7e912d757a17a09ced10401c69d122b7972d4f9f6e26705e18a8cfe3ebef40

        SHA512

        b0ed1640898ebf66797489862be3acdff589b161106c688e0536cabd91f673a75126a70b9363b078d8c88144d547ded4e8980e457c8e75e1477aadbb5414ae3a

        Download Submit

      • memory/2248-298-0x0000000077551000-0x0000000077671000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2248-299-0x0000000010000000-0x0000000010006000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2416-301-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2416-300-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2416-302-0x00000000775D8000-0x00000000775D9000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2416-304-0x00000000775F5000-0x00000000775F6000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2416-317-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2416-319-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2416-320-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2416-321-0x0000000077551000-0x0000000077671000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2416-322-0x0000000035210000-0x000000003555A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2416-323-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download