Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12/03/2024, 07:40
Static task
static1
Behavioral task
behavioral1
Sample
c2d1012eef77d03d5a4bd270aa36f782.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c2d1012eef77d03d5a4bd270aa36f782.exe
Resource
win10v2004-20231215-en
General
-
Target
c2d1012eef77d03d5a4bd270aa36f782.exe
-
Size
343KB
-
MD5
c2d1012eef77d03d5a4bd270aa36f782
-
SHA1
3e31bd51c2744f4793fe5d780927cac627afe6d0
-
SHA256
b5f572622e992d1b6bc551a5de08e67d4cbbfe9d683429c7d98f4722311538d3
-
SHA512
6e015f3c49126b7085b0da291e3a9296a220a2f1c2f6da9fb2aa18c5ffc42c09a9ba9121bb6abb73335c34671081d70f4d04c92ba08334bb5c5bceda92ebf829
-
SSDEEP
6144:iEiDBF2idZecnl20lHRxp3g2ncduD7yB9VCO6Sco4q8+dE6CqmQw:iEyF3Z4mxxRDqVTVOCmd
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2908 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2212 servet.exe -
Loads dropped DLL 2 IoCs
pid Process 1736 c2d1012eef77d03d5a4bd270aa36f782.exe 1736 c2d1012eef77d03d5a4bd270aa36f782.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\servet.exe c2d1012eef77d03d5a4bd270aa36f782.exe File opened for modification C:\Windows\SysWOW64\servet.exe servet.exe File created C:\Windows\SysWOW64\Deledomn.bat c2d1012eef77d03d5a4bd270aa36f782.exe File created C:\Windows\SysWOW64\servet.exe c2d1012eef77d03d5a4bd270aa36f782.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2212 1736 c2d1012eef77d03d5a4bd270aa36f782.exe 28 PID 1736 wrote to memory of 2212 1736 c2d1012eef77d03d5a4bd270aa36f782.exe 28 PID 1736 wrote to memory of 2212 1736 c2d1012eef77d03d5a4bd270aa36f782.exe 28 PID 1736 wrote to memory of 2212 1736 c2d1012eef77d03d5a4bd270aa36f782.exe 28 PID 1736 wrote to memory of 2908 1736 c2d1012eef77d03d5a4bd270aa36f782.exe 29 PID 1736 wrote to memory of 2908 1736 c2d1012eef77d03d5a4bd270aa36f782.exe 29 PID 1736 wrote to memory of 2908 1736 c2d1012eef77d03d5a4bd270aa36f782.exe 29 PID 1736 wrote to memory of 2908 1736 c2d1012eef77d03d5a4bd270aa36f782.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2d1012eef77d03d5a4bd270aa36f782.exe"C:\Users\Admin\AppData\Local\Temp\c2d1012eef77d03d5a4bd270aa36f782.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\servet.exeC:\Windows\system32\servet.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2212
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Deledomn.bat2⤵
- Deletes itself
PID:2908
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD53490cbbc442d4f827dfae32244d68542
SHA15b70fe3bb5455749f273aa5fec461d2a75290565
SHA256c7955bec38be129f8cfa545ecbd75c2c2a9e1565888982db1611ebc0d1bb170a
SHA5124b030d431e23b409b553a64d6e176dfa9567e9c224f678138b9855a40cbd6ed2a333d5b1165c59e5ba405a4e906254d22ed96de28be9e12e6a0073f3f1a1cfdd
-
Filesize
343KB
MD5c2d1012eef77d03d5a4bd270aa36f782
SHA13e31bd51c2744f4793fe5d780927cac627afe6d0
SHA256b5f572622e992d1b6bc551a5de08e67d4cbbfe9d683429c7d98f4722311538d3
SHA5126e015f3c49126b7085b0da291e3a9296a220a2f1c2f6da9fb2aa18c5ffc42c09a9ba9121bb6abb73335c34671081d70f4d04c92ba08334bb5c5bceda92ebf829