Analysis
-
max time kernel
142s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 22:12
Static task
static1
Behavioral task
behavioral1
Sample
b33a36a1718cf0c996c00dce8b76659b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b33a36a1718cf0c996c00dce8b76659b.exe
Resource
win10v2004-20240226-en
General
-
Target
b33a36a1718cf0c996c00dce8b76659b.exe
-
Size
791KB
-
MD5
b33a36a1718cf0c996c00dce8b76659b
-
SHA1
677ddcd6baea11f0e3a0c170b11e4792b2f7b7ce
-
SHA256
07e84078d8d4f3cbf855d5a965d8fe4cbe482929c2c35320fb5535a757232356
-
SHA512
889d117ea25a61a8c89b92fe487641d20ded4066409ce85ff2c602f6fbab326acf57f9a1de36ab793256f7a119996042619d59281906e98aff9de4c54d349bad
-
SSDEEP
24576:gzYXUjH73F0E+f48X97kF60mV59FuXSoOA2ea8gI+k9Tiq:ZkrjFF+7N7kujr8SoOA1aFI+oTJ
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x000c000000013413-433.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2864 diyoem.exe -
Loads dropped DLL 5 IoCs
pid Process 2188 b33a36a1718cf0c996c00dce8b76659b.exe 2188 b33a36a1718cf0c996c00dce8b76659b.exe 2864 diyoem.exe 2864 diyoem.exe 2864 diyoem.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0} diyoem.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2864 diyoem.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2864 2188 b33a36a1718cf0c996c00dce8b76659b.exe 28 PID 2188 wrote to memory of 2864 2188 b33a36a1718cf0c996c00dce8b76659b.exe 28 PID 2188 wrote to memory of 2864 2188 b33a36a1718cf0c996c00dce8b76659b.exe 28 PID 2188 wrote to memory of 2864 2188 b33a36a1718cf0c996c00dce8b76659b.exe 28 PID 2188 wrote to memory of 2864 2188 b33a36a1718cf0c996c00dce8b76659b.exe 28 PID 2188 wrote to memory of 2864 2188 b33a36a1718cf0c996c00dce8b76659b.exe 28 PID 2188 wrote to memory of 2864 2188 b33a36a1718cf0c996c00dce8b76659b.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b33a36a1718cf0c996c00dce8b76659b.exe"C:\Users\Admin\AppData\Local\Temp\b33a36a1718cf0c996c00dce8b76659b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\diyoem.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\diyoem.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5e85685a3cc9728d77eef0a1a1f3d344d
SHA1b88172fd5515917479e001f3fa2b6719e27bd8e3
SHA2561be03b5bcb4c8beb6092f973d2bb4d7d23d9b3390dae7c737418b8e3d4c2e0ad
SHA512fe6c532c1129d1373e781b800af9ec3c7571387dcf68bb500de37cd988bb93ef1fd1b1233d07348e938e1cbdaf6c9fa114e06ed6dded62f8bd7a167db223695e
-
Filesize
9KB
MD5bc4beff42913d8ccbdaa28bd6986af4f
SHA1205a6ec66eceaf5db13332fca8f48f49b9c770f8
SHA256eeaa1205fb8c5b03d74a2cd7547d2e51c71211d59624f292a0a00ac138ad6183
SHA51298434e747750b1a773f3ad42487dc0da28934e3006ac3da3c8c21c772bd66c0b6958f966d2260e437d94e7c296da7adc2f621181210e0acc7baa0af370c5b989
-
Filesize
270B
MD5868d80a05759da985ac5dfc18a8b48b0
SHA1c139d16a4783d07d726f25c7b3d29216896c5a64
SHA256a602ed6d6302767cb3b17eca3be4b4391a5a666615b0c0678f3b7ea02c2cf775
SHA512e6eb60e04681a365f6f7b2e08fd8b92b8827537b7c049b7dc1bcb7daff9be7bb506cc9fe139da57d72085547b06170d5e334ba6c5450e40d94d969e3221b2934
-
Filesize
3KB
MD5cdb0b2189d180f0bc4d9012255819e8d
SHA116271fc9f8ec14ec06dac0f58acd1c3cb2fc8450
SHA256b6eba1a771610d3d95e4cbda638f3bafa2c89f321d17fd03d3548e29a3eadb62
SHA5125abd47535325566774ccd7023deb774cda948466f5c59b76c851b16eba083ad20853266219dfe5cccf73eaaf03968c506352394dd1b8982ee5ba0e0fef2f8859
-
Filesize
246B
MD5d1c6afeff964043a631718dd3fdcb559
SHA15c6663cafa2274fe05b074ec8f9994faa2781925
SHA25620e617230be0495fa648de153af6ea6f2ad12ee2ce1df8836b1f742bac249bfc
SHA512a5332e6cf34347b4d1c8b50c7d27165b0338baf34dac36b8bf188acc87d76ec708c881806627a460346399b701308cba5ebb509f62501f6b3588691ad582b1bf
-
Filesize
385KB
MD5ae88e2a3d20aa2d58d27ef444a062c33
SHA12aa03d1a8924b10627b36b90edcb80b603fb724d
SHA25690ea85869ce366be2c0cf3895bd63b40890d2f3b80a2fab9f61e68a98c101f63
SHA5124e264185c1f13079937e22f9c9e8f3f0437718e1e134f3bb2e7e9ee6d836009e84c11c231fe80bab3616821ca676eb58ecc2b3bca21482cb64edd727c906d923