Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/03/2024, 17:29
Static task
static1
Behavioral task
behavioral1
Sample
c9328044f3d94a0e9dc9d22c200e317a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c9328044f3d94a0e9dc9d22c200e317a.exe
Resource
win10v2004-20231215-en
General
-
Target
c9328044f3d94a0e9dc9d22c200e317a.exe
-
Size
145KB
-
MD5
c9328044f3d94a0e9dc9d22c200e317a
-
SHA1
d036f755ad9001dbad66d2011fb470a3c9452643
-
SHA256
0fbeb3f50de140fda85678fe354a9cd5df970763fa9541c7a7f93226c292e1d9
-
SHA512
d439c3ff81a64e0393358f34cf3b3905b88141e501bfe9100846c889ee6fb6934ba0e27cc4d74a69b13380c02b3c814cf054203a65ab6ff8b8dfe6879be88d30
-
SSDEEP
3072:OXPjwSiU99T0uhtdk4to+sogF9zcn4FZhFU/tZ5Cm80Kba:ePjUU9V0Svbs/zG2H+ZJ2
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Deletes itself 1 IoCs
pid Process 2912 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2776 c9328044f3d94a0e9dc9d22c200e317a.exe 2912 cmd.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\PkgMpubw.dll c9328044f3d94a0e9dc9d22c200e317a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2776 c9328044f3d94a0e9dc9d22c200e317a.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2776 wrote to memory of 1200 2776 c9328044f3d94a0e9dc9d22c200e317a.exe 21 PID 2776 wrote to memory of 2912 2776 c9328044f3d94a0e9dc9d22c200e317a.exe 28 PID 2776 wrote to memory of 2912 2776 c9328044f3d94a0e9dc9d22c200e317a.exe 28 PID 2776 wrote to memory of 2912 2776 c9328044f3d94a0e9dc9d22c200e317a.exe 28 PID 2776 wrote to memory of 2912 2776 c9328044f3d94a0e9dc9d22c200e317a.exe 28 PID 2912 wrote to memory of 2664 2912 cmd.exe 30 PID 2912 wrote to memory of 2664 2912 cmd.exe 30 PID 2912 wrote to memory of 2664 2912 cmd.exe 30 PID 2912 wrote to memory of 2664 2912 cmd.exe 30 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2664 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\c9328044f3d94a0e9dc9d22c200e317a.exe"C:\Users\Admin\AppData\Local\Temp\c9328044f3d94a0e9dc9d22c200e317a.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259428835.bat" "C:\Users\Admin\AppData\Local\Temp\c9328044f3d94a0e9dc9d22c200e317a.exe""3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\c9328044f3d94a0e9dc9d22c200e317a.exe"4⤵
- Views/modifies file attributes
PID:2664
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69B
MD5604802586163bdc9eda42f6a471e01ad
SHA1fc255017a78e3ec103f73c8c8651effe08089c81
SHA25602f35eec8f33e1ad57621253ee252ca073f6cc16bf9712d89859ffeb6bb49dd3
SHA51266dc346d7bdcc80fc8ae6894ae10cab306aaf5cf1c1dd750a971d3df37d6f4ac607d188f583d08b526e3df13234cec9c7fa7f9bdc4c4ad187fc83a3506b94888
-
Filesize
61KB
MD5015d99269f95fad18b6f817c165b27ad
SHA1a88b415595d611bc6966ab670ae9ef13c19e4958
SHA25619dbe5b20af44f54ea636c229e29caa00471bb7445d8f92707665388baca73ec
SHA512b8776d52fac397b9565b6c076bb51ab5e018b4b4d5065e36d2700eabef797a1d7558b55ff2e8c44347174932e11ed4b81b661822dea1dfa58b836964051bf856