Analysis

  • max time kernel
    148s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14/03/2024, 07:30 UTC

General

  • Target

    c80d627107db611cb805b7fdce880030.exe

  • Size

    63KB

  • MD5

    c80d627107db611cb805b7fdce880030

  • SHA1

    efacc489df7020f605953c9bd16afbccc09e2824

  • SHA256

    ea933832e2b54394e17c2ca51f5d0e42a9a76dd1f6e3c0439d1415f77fa31548

  • SHA512

    f6532255995ba423ca954c099c696368f19c57cf85052fe74a94578ae6205dd0a5bb07295ca32d390b7c0535e54cca82020c54593b1f7018d3fa4a048c08850a

  • SSDEEP

    1536:UjV8OL2JLAEEbBow9551m5HwgvTnjrrzQgPZT4rNuGOVm5SvDqm7UZdyhG:UJ8ZJYBoM1m5RznrzQq6rNBfgzY48

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables Task Manager via registry modification
  • Modifies Shared Task Scheduler registry keys 2 TTPs 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • System policy modification 1 TTPs 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c80d627107db611cb805b7fdce880030.exe
    "C:\Users\Admin\AppData\Local\Temp\c80d627107db611cb805b7fdce880030.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Users\Admin\AppData\Local\Temp\dropper_286962.exe
      "C:\Users\Admin\AppData\Local\Temp\dropper_286962.exe"
      2⤵
      • Modifies Shared Task Scheduler registry keys
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\wndutl32.dll,load
        3⤵
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Modifies Shared Task Scheduler registry keys
        • Loads dropped DLL
        • Windows security modification
        • Sets desktop wallpaper using registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • System policy modification
        PID:2372
    • C:\Users\Admin\AppData\Local\Temp\load.exe
      "C:\Users\Admin\AppData\Local\Temp\load.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del "C:\Users\Admin\AppData\Local\Temp\load.exe"
        3⤵
          PID:2380

    Network

    • flag-us
      DNS
      bestlocatehomes.com
      Remote address:
      8.8.8.8:53
      Request
      bestlocatehomes.com
      IN A
      Response
    No results found
    • 8.8.8.8:53
      bestlocatehomes.com
      dns
      65 B
      138 B
      1
      1

      DNS Request

      bestlocatehomes.com

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\dropper_286962.exe

      Filesize

      43KB

      MD5

      df0ad057821a5a5218125a7cf7375813

      SHA1

      0195d399cc9c705f70b06d8a9dd16fd50d494f16

      SHA256

      98ae0c7ec0479ae48fe9deaa6d5f16d733248a8ecd3137e213e2c84221881d75

      SHA512

      a05f64df4431414467e25b71af1c50e09c73b0eb85e2b6f9011393d837fcc56bf9c93857867c0ab71e7da3ba52e2a5693ca10a8a2c6bcb8ff54e5971c7db2016

    • \Users\Admin\AppData\Local\Temp\load.exe

      Filesize

      9KB

      MD5

      2074d9f84dabdaa9eca10d550797740c

      SHA1

      ae5c559a7c167c716bfd4c1fbdf6582a9112625a

      SHA256

      3e27f5e6be8ca368e9f49fbb0af15b253ad9f1a719248992a85fdc50d4d781ab

      SHA512

      b486868fa9dcf2dfac2069998c3a580ba8fe12a9dcba7bf4cfd44d06b021d53ef29ba4415a2780c8d239f708015f00b54c2b32e3ac869f792ae6d633c71d4589

    • \Users\Admin\AppData\Local\Temp\wndutl32.dll

      Filesize

      13KB

      MD5

      566881585b351cdcc4f66648c6b98a58

      SHA1

      fc996cda1a168532d6d7e899c4bb1684199262bb

      SHA256

      5bd5db0388afdc882eb196a9e03681944ef10cba658eef11fb89feac0eed4e30

      SHA512

      cc16ea70971a995a6788112e0a58a686272f18352d881274af3ec7d5a274edb30e3a910c0dc0a657f6c310475e959c853551dc350555f7c8add4d3613c66580c

    • memory/1912-23-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

    • memory/1912-1-0x0000000000220000-0x000000000022F000-memory.dmp

      Filesize

      60KB

    • memory/1912-0-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

    • memory/1912-4-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

    • memory/2560-32-0x0000000000220000-0x0000000000222000-memory.dmp

      Filesize

      8KB

    • memory/2560-27-0x0000000000400000-0x000000000090A000-memory.dmp

      Filesize

      5.0MB

    • memory/2560-41-0x0000000000400000-0x000000000090A000-memory.dmp

      Filesize

      5.0MB

    • memory/2936-24-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

    • memory/2936-15-0x0000000000220000-0x000000000022A000-memory.dmp

      Filesize

      40KB

    • memory/2936-14-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

    • memory/2936-40-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.