Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/03/2024, 05:47
Behavioral task
behavioral1
Sample
b3f0afe4e3456523502d6ef1d0c402b4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b3f0afe4e3456523502d6ef1d0c402b4.exe
Resource
win10v2004-20240226-en
General
-
Target
b3f0afe4e3456523502d6ef1d0c402b4.exe
-
Size
47KB
-
MD5
b3f0afe4e3456523502d6ef1d0c402b4
-
SHA1
63a8c4444267dea5268780ff495d3fcf4d4b5690
-
SHA256
dcac9c98f6f51362bbcd26e9509a2d4a03d4427d50b000528842ec0b00ca7f0f
-
SHA512
05192e78d16d139818d36374082024bd122c709c0b32ac174a74a1053a055fd2e8b9ebed9c9e333c844dcc9a7774c90eae115a42bb261ae7ad72063223c3fcc0
-
SSDEEP
768:DQMGEnhR6hs1K0tW3KPHTGovr1AXsDj+N/kM9I/l6UKOe+AEGqYARSCNdIixRde8:kmb5XWUHdr1y/rI/lo9qNRSCN/J
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1932 rundll32.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Wizet\Maple\npkcrypt.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1932 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2752 wrote to memory of 1932 2752 b3f0afe4e3456523502d6ef1d0c402b4.exe 28 PID 2752 wrote to memory of 1932 2752 b3f0afe4e3456523502d6ef1d0c402b4.exe 28 PID 2752 wrote to memory of 1932 2752 b3f0afe4e3456523502d6ef1d0c402b4.exe 28 PID 2752 wrote to memory of 1932 2752 b3f0afe4e3456523502d6ef1d0c402b4.exe 28 PID 2752 wrote to memory of 1932 2752 b3f0afe4e3456523502d6ef1d0c402b4.exe 28 PID 2752 wrote to memory of 1932 2752 b3f0afe4e3456523502d6ef1d0c402b4.exe 28 PID 2752 wrote to memory of 1932 2752 b3f0afe4e3456523502d6ef1d0c402b4.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3f0afe4e3456523502d6ef1d0c402b4.exe"C:\Users\Admin\AppData\Local\Temp\b3f0afe4e3456523502d6ef1d0c402b4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\Favorites\hfdf.hlp" InstallHook12⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD55ae5fbaa678e08e5d136826a8de7cc16
SHA10b4192bc6a527856f3a7a70d29d171cbbef64286
SHA256f59fa8cef0dd4d2583c9080f65fa7b4e4c956d1e2c5c2be0d741c435a86002de
SHA512e8bf55ff6e43712c88181e7c0adc9b2082a476199d03fe1b8167d4e978d8285a1db02a6f626b89f3a52624967978f8d0cbeddeb4ef3edd9298af39d35fa394b4