Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-03-2024 01:45
Static task
static1
Behavioral task
behavioral1
Sample
ca29d1197a6ce2c0a57740829d144f9e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ca29d1197a6ce2c0a57740829d144f9e.exe
Resource
win10v2004-20240226-en
General
-
Target
ca29d1197a6ce2c0a57740829d144f9e.exe
-
Size
30KB
-
MD5
ca29d1197a6ce2c0a57740829d144f9e
-
SHA1
2a3a19e5b4e9650fbaf821e4ff6ffeb396ff30c5
-
SHA256
c69f883445121fdeec49f219d07873df98524818f2d01ea72bbac43e956b3bcb
-
SHA512
03100262b8703d2e93df8340d49e3006bc675930beb04b7edfe36ebdfcc694a465710cf8f373d846ace650ada5c39dfe30c5e7f74ef54b45bd28fbec8b2be3b6
-
SSDEEP
768:wY37FX4CQVTv2EQNWWJC/4gVYPahBTY2U1:X37FX4CQF7iWWS4gVyaHY2U1
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2084-1-0x00000000008C0000-0x00000000008D9000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ca29d1197a6ce2c0a57740829d144f9e.exepid process 2084 ca29d1197a6ce2c0a57740829d144f9e.exe 2084 ca29d1197a6ce2c0a57740829d144f9e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ca29d1197a6ce2c0a57740829d144f9e.exedescription pid process Token: SeIncBasePriorityPrivilege 2084 ca29d1197a6ce2c0a57740829d144f9e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ca29d1197a6ce2c0a57740829d144f9e.exedescription pid process target process PID 2084 wrote to memory of 2624 2084 ca29d1197a6ce2c0a57740829d144f9e.exe cmd.exe PID 2084 wrote to memory of 2624 2084 ca29d1197a6ce2c0a57740829d144f9e.exe cmd.exe PID 2084 wrote to memory of 2624 2084 ca29d1197a6ce2c0a57740829d144f9e.exe cmd.exe PID 2084 wrote to memory of 2624 2084 ca29d1197a6ce2c0a57740829d144f9e.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca29d1197a6ce2c0a57740829d144f9e.exe"C:\Users\Admin\AppData\Local\Temp\ca29d1197a6ce2c0a57740829d144f9e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\CA29D1~1.EXE > nul2⤵