Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/03/2024, 07:05
Behavioral task
behavioral1
Sample
b417520adc01a922c56f942f4075de98.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b417520adc01a922c56f942f4075de98.exe
Resource
win10v2004-20240226-en
General
-
Target
b417520adc01a922c56f942f4075de98.exe
-
Size
10KB
-
MD5
b417520adc01a922c56f942f4075de98
-
SHA1
8835512659b8a04266a2643bacea84e2dc4e95d7
-
SHA256
9b391d5bacc3b30ef87d8aa2197ba6d49c254b21d9d1901e79a2e90c9307c8a9
-
SHA512
716a9bf30eea000cc1bae67642e7b70f34c0a38d5cf52049baca458e95f21bd9228a09b9cdd779928f27af2f9b25f4553cce02d58b24c70bca0456e974b33ae0
-
SSDEEP
192:70Abfjwc03Ex8Swcp/nncrR37vOhGytPg+Q+:7fDEx3E6SnPcrRLly9gd+
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Deletes itself 1 IoCs
pid Process 2672 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1384 reglakok.exe -
Loads dropped DLL 2 IoCs
pid Process 1784 b417520adc01a922c56f942f4075de98.exe 1784 b417520adc01a922c56f942f4075de98.exe -
resource yara_rule behavioral1/memory/1784-0-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/files/0x000c000000015a2d-3.dat upx behavioral1/memory/1784-4-0x0000000000030000-0x000000000003F000-memory.dmp upx behavioral1/memory/1384-11-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1784-19-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1384-21-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\reglakok.exe b417520adc01a922c56f942f4075de98.exe File opened for modification C:\Windows\SysWOW64\reglakok.exe b417520adc01a922c56f942f4075de98.exe File created C:\Windows\SysWOW64\reglako.dll b417520adc01a922c56f942f4075de98.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1784 wrote to memory of 1384 1784 b417520adc01a922c56f942f4075de98.exe 28 PID 1784 wrote to memory of 1384 1784 b417520adc01a922c56f942f4075de98.exe 28 PID 1784 wrote to memory of 1384 1784 b417520adc01a922c56f942f4075de98.exe 28 PID 1784 wrote to memory of 1384 1784 b417520adc01a922c56f942f4075de98.exe 28 PID 1784 wrote to memory of 2672 1784 b417520adc01a922c56f942f4075de98.exe 29 PID 1784 wrote to memory of 2672 1784 b417520adc01a922c56f942f4075de98.exe 29 PID 1784 wrote to memory of 2672 1784 b417520adc01a922c56f942f4075de98.exe 29 PID 1784 wrote to memory of 2672 1784 b417520adc01a922c56f942f4075de98.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\b417520adc01a922c56f942f4075de98.exe"C:\Users\Admin\AppData\Local\Temp\b417520adc01a922c56f942f4075de98.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\reglakok.exeC:\Windows\system32\reglakok.exe ˜‰2⤵
- Executes dropped EXE
PID:1384
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\b417520adc01a922c56f942f4075de98.exe.bat2⤵
- Deletes itself
PID:2672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD51c8a49393889d8a23037a8e9d612f8df
SHA1f95aedfb1474c223df41d4533ad9a2720ff5d143
SHA256e38106c81f221a9437c73dfcae1807b7ac227ed1d74bcfb894e40d9c3c18d705
SHA512869116b121164d8623bfc240b29e2b5419b212db9e2c8eca146e458006ecf8df31e92418b26e686e0e42d9d61cf654fa1caac767cee846fd23c3e97e6eb877ea
-
Filesize
10KB
MD5b417520adc01a922c56f942f4075de98
SHA18835512659b8a04266a2643bacea84e2dc4e95d7
SHA2569b391d5bacc3b30ef87d8aa2197ba6d49c254b21d9d1901e79a2e90c9307c8a9
SHA512716a9bf30eea000cc1bae67642e7b70f34c0a38d5cf52049baca458e95f21bd9228a09b9cdd779928f27af2f9b25f4553cce02d58b24c70bca0456e974b33ae0