5ce20516d58cbf2a1e4813e452f26b6ec62a815c7fb70974d0ea97aaa4b4acf1

Analysis

max time kernel
145s
max time network
162s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc5e8412f462feff5e910a75d7b66db4.exe
Size

190KB
MD5

cc5e8412f462feff5e910a75d7b66db4
SHA1

4fb581dd06122898e7df0fa14353bc5f449628dc
SHA256

5ce20516d58cbf2a1e4813e452f26b6ec62a815c7fb70974d0ea97aaa4b4acf1
SHA512

1ecbbcf7d5e5a321c0a66d36eff84b5f817af581d309cd5a9186b29fbd3f80fbc5421907cb1b4da0dcec5132a962e44a0b70443bd4e9af686994a5dc80d6bbf9
SSDEEP

3072:WSsAduIS2dCuxKBgigyk5VaOOhS4CLFiHtHuYTzKUvqA8pw39t47TL/NNBiokjIE:WSsAduIS2dCuxKBgigx5VaOOxU8NO+zV

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2900 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

imgconvert.exe

pid process

2724 imgconvert.exe
Loads dropped DLL 2 IoCs

Processes:

cc5e8412f462feff5e910a75d7b66db4.exe

pid process

2208 cc5e8412f462feff5e910a75d7b66db4.exe
2208 cc5e8412f462feff5e910a75d7b66db4.exe

pid	process
2900	cmd.exe

pid	process
2724	imgconvert.exe

pid	process
2208	cc5e8412f462feff5e910a75d7b66db4.exe
2208	cc5e8412f462feff5e910a75d7b66db4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cc5e8412f462feff5e910a75d7b66db4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NT Kernel System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cc5e8412f462feff5e910a75d7b66db4.exe"	cc5e8412f462feff5e910a75d7b66db4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Network System = "C:\\Users\\Admin\\AppData\\Roaming\\imgconvert.exe"	cc5e8412f462feff5e910a75d7b66db4.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cc5e8412f462feff5e910a75d7b66db4.exe

description	pid	process	target process
PID 2208 wrote to memory of 2724	2208	cc5e8412f462feff5e910a75d7b66db4.exe	imgconvert.exe
PID 2208 wrote to memory of 2724	2208	cc5e8412f462feff5e910a75d7b66db4.exe	imgconvert.exe
PID 2208 wrote to memory of 2724	2208	cc5e8412f462feff5e910a75d7b66db4.exe	imgconvert.exe
PID 2208 wrote to memory of 2724	2208	cc5e8412f462feff5e910a75d7b66db4.exe	imgconvert.exe
PID 2208 wrote to memory of 2900	2208	cc5e8412f462feff5e910a75d7b66db4.exe	cmd.exe
PID 2208 wrote to memory of 2900	2208	cc5e8412f462feff5e910a75d7b66db4.exe	cmd.exe
PID 2208 wrote to memory of 2900	2208	cc5e8412f462feff5e910a75d7b66db4.exe	cmd.exe
PID 2208 wrote to memory of 2900	2208	cc5e8412f462feff5e910a75d7b66db4.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\cc5e8412f462feff5e910a75d7b66db4.exe
"C:\Users\Admin\AppData\Local\Temp\cc5e8412f462feff5e910a75d7b66db4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Roaming\imgconvert.exe
"C:\Users\Admin\AppData\Roaming\imgconvert.exe"
2⤵
- Executes dropped EXE
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\System.bat" "
2⤵
- Deletes itself
PID:2900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\System.bat
Filesize
243B

MD5
363f12adb961ed48aec3911acb5a01ae

SHA1
bee5a0b2486fd15c6520e513cb693ceb249307c8

SHA256
732245b11cb934ae135ac1be94710b93ce58c42f42387a19b435a5aa2c68248b

SHA512
b9a024881f5f7ac1075a548e3ba375dc9b577bcf4b230069b25294402fd04470dff3c14d26748d031d47813bc2e67a11d889c66dde1201c82d500125f426a450

Download Submit
\Users\Admin\AppData\Roaming\imgconvert.exe
Filesize
190KB

MD5
cc5e8412f462feff5e910a75d7b66db4

SHA1
4fb581dd06122898e7df0fa14353bc5f449628dc

SHA256
5ce20516d58cbf2a1e4813e452f26b6ec62a815c7fb70974d0ea97aaa4b4acf1

SHA512
1ecbbcf7d5e5a321c0a66d36eff84b5f817af581d309cd5a9186b29fbd3f80fbc5421907cb1b4da0dcec5132a962e44a0b70443bd4e9af686994a5dc80d6bbf9

Download Submit
memory/2208-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2208-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2208-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2208-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2724-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2724-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2724-26-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download