bdd210ef7737f35bc2bac5aa6c67c9c97e47e4f689df7097e2f1e64fbb20f478

Analysis

max time kernel
171s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 02:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c22e24ed1d801dff312d34b1f1aa6914.exe
Size

20KB
MD5

c22e24ed1d801dff312d34b1f1aa6914
SHA1

cada554e6e83d80d5c98507880f8f4bfdc186731
SHA256

bdd210ef7737f35bc2bac5aa6c67c9c97e47e4f689df7097e2f1e64fbb20f478
SHA512

c5d9c2659f5ed1aeb7be6758cdeef97b0baa86bc057e026f70791e8c3c00d33823024c774c2f566d2116e3e429fe376479179a0aed569987f222f1ec1c610a16
SSDEEP

384:98eQ9KaonyQuJCn6VMceCJ8Xc3sJGWlQVSjxijGsvxtgolFwg1xD:OTKzyQuJFMw8n5luYxEbt7lFDD

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2028	NTdhcp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NTdhcp = "C:\\Windows\\system32\\NTdhcp.exe"	c22e24ed1d801dff312d34b1f1aa6914.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	c22e24ed1d801dff312d34b1f1aa6914.exe
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	NTdhcp.exe
File created	C:\Windows\SysWOW64\NTdhcp.exe	c22e24ed1d801dff312d34b1f1aa6914.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Deleteme.bat	c22e24ed1d801dff312d34b1f1aa6914.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2028	1688	c22e24ed1d801dff312d34b1f1aa6914.exe	97
PID 1688 wrote to memory of 2028	1688	c22e24ed1d801dff312d34b1f1aa6914.exe	97
PID 1688 wrote to memory of 2028	1688	c22e24ed1d801dff312d34b1f1aa6914.exe	97
PID 1688 wrote to memory of 2496	1688	c22e24ed1d801dff312d34b1f1aa6914.exe	98
PID 1688 wrote to memory of 2496	1688	c22e24ed1d801dff312d34b1f1aa6914.exe	98
PID 1688 wrote to memory of 2496	1688	c22e24ed1d801dff312d34b1f1aa6914.exe	98

C:\Users\Admin\AppData\Local\Temp\c22e24ed1d801dff312d34b1f1aa6914.exe
"C:\Users\Admin\AppData\Local\Temp\c22e24ed1d801dff312d34b1f1aa6914.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\NTdhcp.exe
  C:\Windows\system32\NTdhcp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Deleteme.bat
  2⤵
  PID:2496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4284 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Deleteme.bat

Filesize
184B

MD5
7c65a2d9e6e9e8ebc957cf189289e6a1

SHA1
fdfe2cfa5adff3a4598c9cf5e10118b73060e561

SHA256
ebe181d2689468c25c6e7741a0f34a2ba10f90f050120ddf0a06d16245e8c1b0

SHA512
d07426a7353072c2523316c2d292bc8937d32114fe27f65f9e67fda031ab5f1a4bb2cb459fd8a56f6ebe64a126f9915d2904ff2816198032967ee42a3db473c3

Download Submit
C:\Windows\SysWOW64\NTdhcp.exe

Filesize
20KB

MD5
c22e24ed1d801dff312d34b1f1aa6914

SHA1
cada554e6e83d80d5c98507880f8f4bfdc186731

SHA256
bdd210ef7737f35bc2bac5aa6c67c9c97e47e4f689df7097e2f1e64fbb20f478

SHA512
c5d9c2659f5ed1aeb7be6758cdeef97b0baa86bc057e026f70791e8c3c00d33823024c774c2f566d2116e3e429fe376479179a0aed569987f222f1ec1c610a16

Download Submit
memory/1688-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1688-1-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1688-2-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1688-13-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2028-8-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2028-9-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2028-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads