Analysis
-
max time kernel
18s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:40
Static task
static1
General
-
Target
-
Size
467KB
-
MD5
ab65e866abc51f841465d19aba35fb14
-
SHA1
ec79f1f511a199291b0893bc866a788ceac19f6e
-
SHA256
2ac0ca4ffda10b1861dd4ae0c2f0131a6400214cb4f5fa33951f3062b784a755
-
SHA512
2474905f174635b236e5f6e8f8c497e44435c94edd02ec47d3440c9a216f6840d040e6acc5fe2ec301ada80467f6cf55225d6361c1e7c6c6c7edccb9e7b5a35e
-
SSDEEP
12288:JSAEF99H0UO8MDCSP0iUiF1lv54a7cXndlZni:wX9HjOEaUw3cXd
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2032 WbVhxCIDDK.exe -
Loads dropped DLL 2 IoCs
pid Process 2164 [email protected] 2164 [email protected] -
resource yara_rule behavioral1/memory/2164-3-0x0000000000600000-0x0000000000678000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\WbVhxCIDDK = "C:\\ProgramData\\WbVhxCIDDK.exe" [email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Download [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" [email protected] -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2164 [email protected] 2032 WbVhxCIDDK.exe 2164 [email protected] 2164 [email protected] 2032 WbVhxCIDDK.exe 2032 WbVhxCIDDK.exe 2164 [email protected] 2164 [email protected] 2032 WbVhxCIDDK.exe 2032 WbVhxCIDDK.exe 2164 [email protected] 2164 [email protected] 2032 WbVhxCIDDK.exe 2032 WbVhxCIDDK.exe 2164 [email protected] 2164 [email protected] 2032 WbVhxCIDDK.exe 2032 WbVhxCIDDK.exe 2164 [email protected] 2164 [email protected] 2032 WbVhxCIDDK.exe 2032 WbVhxCIDDK.exe 2164 [email protected] 2164 [email protected] 2032 WbVhxCIDDK.exe 2032 WbVhxCIDDK.exe 2164 [email protected] 2164 [email protected] 2032 WbVhxCIDDK.exe 2032 WbVhxCIDDK.exe 2032 WbVhxCIDDK.exe 2032 WbVhxCIDDK.exe 2032 WbVhxCIDDK.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2164 [email protected] -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2032 2164 [email protected] 28 PID 2164 wrote to memory of 2032 2164 [email protected] 28 PID 2164 wrote to memory of 2032 2164 [email protected] 28 PID 2164 wrote to memory of 2032 2164 [email protected] 28 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" [email protected]
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2164 -
C:\ProgramData\WbVhxCIDDK.exe"C:\ProgramData\WbVhxCIDDK.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
467KB
MD5ab65e866abc51f841465d19aba35fb14
SHA1ec79f1f511a199291b0893bc866a788ceac19f6e
SHA2562ac0ca4ffda10b1861dd4ae0c2f0131a6400214cb4f5fa33951f3062b784a755
SHA5122474905f174635b236e5f6e8f8c497e44435c94edd02ec47d3440c9a216f6840d040e6acc5fe2ec301ada80467f6cf55225d6361c1e7c6c6c7edccb9e7b5a35e