3e5d623f059027477dc7107aa7739ead0fdbad4da0fdcfdfc307132497fd6e7f

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3bab1fabdba91a022e2ccbd88d0dfcf.exe
Size

37KB
MD5

c3bab1fabdba91a022e2ccbd88d0dfcf
SHA1

afd5fc9e58309eb5ec988d75dc6cde7a5473fc10
SHA256

3e5d623f059027477dc7107aa7739ead0fdbad4da0fdcfdfc307132497fd6e7f
SHA512

c157a55fadcdf00b6d289000209090db51cbc4cb2b3fad22fb141bf2a39313f1b294c5fe61af1a7a70012054f9ae4dba612763ab8217e418e18da8906dcc1fa9
SSDEEP

768:jpuxbbb93pfzxWt7QYQ8IgDidhHPjAJYvHF0lwY437avXKrnrc:j0Rbb5WRQYt9ir/2wrab

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2928 set thread context of 644	2928	c3bab1fabdba91a022e2ccbd88d0dfcf.exe	91

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\rY8Ulx50.com	c3bab1fabdba91a022e2ccbd88d0dfcf.exe
File opened for modification	C:\Windows\Fonts\rY8Ulx50.com	c3bab1fabdba91a022e2ccbd88d0dfcf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	c3bab1fabdba91a022e2ccbd88d0dfcf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
644	c3bab1fabdba91a022e2ccbd88d0dfcf.exe
644	c3bab1fabdba91a022e2ccbd88d0dfcf.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 644	2928	c3bab1fabdba91a022e2ccbd88d0dfcf.exe	91
PID 2928 wrote to memory of 644	2928	c3bab1fabdba91a022e2ccbd88d0dfcf.exe	91
PID 2928 wrote to memory of 644	2928	c3bab1fabdba91a022e2ccbd88d0dfcf.exe	91
PID 2928 wrote to memory of 644	2928	c3bab1fabdba91a022e2ccbd88d0dfcf.exe	91
PID 2928 wrote to memory of 644	2928	c3bab1fabdba91a022e2ccbd88d0dfcf.exe	91
PID 2928 wrote to memory of 644	2928	c3bab1fabdba91a022e2ccbd88d0dfcf.exe	91
PID 2928 wrote to memory of 644	2928	c3bab1fabdba91a022e2ccbd88d0dfcf.exe	91
PID 2928 wrote to memory of 644	2928	c3bab1fabdba91a022e2ccbd88d0dfcf.exe	91

C:\Users\Admin\AppData\Local\Temp\c3bab1fabdba91a022e2ccbd88d0dfcf.exe
"C:\Users\Admin\AppData\Local\Temp\c3bab1fabdba91a022e2ccbd88d0dfcf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\c3bab1fabdba91a022e2ccbd88d0dfcf.exe
  C:\Users\Admin\AppData\Local\Temp\c3bab1fabdba91a022e2ccbd88d0dfcf.exe
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/644-18-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/644-20-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2928-13-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2928-17-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2928-15-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2928-22-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download