Overview

overview

10

Static

static

3

d5b5fc6fdd...f7.exe

windows7-x64

10

d5b5fc6fdd...f7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    19/03/2024, 08:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d5b5fc6fddcfec0860d29558ac2bc8f7.exe

  • Size

    226KB

  • MD5

    d5b5fc6fddcfec0860d29558ac2bc8f7

  • SHA1

    2d3ffedd820f8039e8705a7c108c98fcdc644f17

  • SHA256

    6324a3ae7be406da03c391a83c0562d438c62a1cbed0d2fcbe0e2a1144ab7e84

  • SHA512

    0dfe4d7a55454ddcbec1e8c8ac981933ec1f5eb9e8ce42eb74caaf221d42ea5d77dc99492e9b5c9d20818bce081a12685b3a3a7e2f5025416d36f07ea76a6374

  • SSDEEP

    6144:iBRT6zO0Q6zmTBy4/BbBVp/Qnxn6byocKIWCW:D5UL4nxnGcLTW

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5b5fc6fddcfec0860d29558ac2bc8f7.exe
    "C:\Users\Admin\AppData\Local\Temp\d5b5fc6fddcfec0860d29558ac2bc8f7.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Enumerates connected drives
    • Drops file in System32 directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c _dcp.bat
      2⤵
      • Drops file in System32 directory
      PID:2724
    • C:\Users\Admin\AppData\Local\Temp\d5b5fc6fddcfec0860d29558ac2bc8f7.exe
      C:\Users\Admin\AppData\Local\Temp\d5b5fc6fddcfec0860d29558ac2bc8f7.exe
      2⤵
      • Modifies WinLogon for persistence
      • Enumerates connected drives
      • Drops file in System32 directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c _dcp.bat
        3⤵
        • Drops file in System32 directory
        PID:1624
      • C:\Users\Admin\AppData\Local\Temp\d5b5fc6fddcfec0860d29558ac2bc8f7.exe
        C:\Users\Admin\AppData\Local\Temp\d5b5fc6fddcfec0860d29558ac2bc8f7.exe
        3⤵
        • Modifies WinLogon for persistence
        • Enumerates connected drives
        • Drops file in System32 directory
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c _dcp.bat
          4⤵
            PID:1912

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\httpErrorPagesScripts[1]
            Filesize

            8KB

            MD5

            3f57b781cb3ef114dd0b665151571b7b

            SHA1

            ce6a63f996df3a1cccb81720e21204b825e0238c

            SHA256

            46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

            SHA512

            8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\NewErrorPageTemplate[1]
            Filesize

            1KB

            MD5

            cdf81e591d9cbfb47a7f97a2bcdb70b9

            SHA1

            8f12010dfaacdecad77b70a3e781c707cf328496

            SHA256

            204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

            SHA512

            977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\dnserrordiagoff[1]
            Filesize

            1KB

            MD5

            47f581b112d58eda23ea8b2e08cf0ff0

            SHA1

            6ec1df5eaec1439573aef0fb96dabfc953305e5b

            SHA256

            b1c947d00db5fce43314c56c663dbeae0ffa13407c9c16225c17ccefc3afa928

            SHA512

            187383eef3d646091e9f68eff680a11c7947b3d9b54a78cc6de4a04629d7037e9c97673ac054a6f1cf591235c110ca181a6b69ecba0e5032168f56f4486fff92

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\errorPageStrings[1]
            Filesize

            2KB

            MD5

            e3e4a98353f119b80b323302f26b78fa

            SHA1

            20ee35a370cdd3a8a7d04b506410300fd0a6a864

            SHA256

            9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

            SHA512

            d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\_dcp.bat
            Filesize

            121B

            MD5

            de937f28070fb33562610c4f1ededdef

            SHA1

            b056d3bf292716572f9313a4601e085a8e3f3299

            SHA256

            f1b6cce184f0ba6d2abaa9a5135cff49c65f3deb7a061b718175f57ef85c59d4

            SHA512

            9b1bc39e7f268dbe4639cc15c8f3666e88164f2e33cf03670aeda4392e9efa3cbb04c82bfb24a5c8fe050c7521f1464c86faf361efa80f94604b436f21c1665b

            Download Submit

          • C:\Windows\SysWOW64\userinits.exe
            Filesize

            26KB

            MD5

            61ac3efdfacfdd3f0f11dd4fd4044223

            SHA1

            211295ccda6cf6409189279bf66a212bd53fc650

            SHA256

            538fe1012fedc72727a8de0c2c01944b3d35c29812ecef88e95aac07235e0b0b

            SHA512

            754aefaa81b2435e05037c0a7d057fd86ef8f62d49aad399d7fc4ead1e68793e5cc9ba639245a133cfb6f67d1f4bb6a95a972da3ef4ed92855cb1742241f89eb

            Download Submit

          • C:\Windows\SysWOW64\userinits.exe
            Filesize

            26KB

            MD5

            a3d7983aba25a30a72a2ef804db5623b

            SHA1

            809ad7dadbfc46988dd8138a81fcba4f652e3b20

            SHA256

            0c35865eec2cf793b54c4c420887951a56ee651be16a620d880ea7bd9772bb26

            SHA512

            fc779e2a8132cf39ac6abbbabbb70294e90f683c32e43ec31f15caab00b7f8fcb258f4f22fabbaf0c5bda4ce59f2b22be452fff53b75dafdbb66a2e9ef0aeb1d

            Download Submit

          • C:\Windows\SysWOW64\wuptray.exe
            Filesize

            226KB

            MD5

            d5b5fc6fddcfec0860d29558ac2bc8f7

            SHA1

            2d3ffedd820f8039e8705a7c108c98fcdc644f17

            SHA256

            6324a3ae7be406da03c391a83c0562d438c62a1cbed0d2fcbe0e2a1144ab7e84

            SHA512

            0dfe4d7a55454ddcbec1e8c8ac981933ec1f5eb9e8ce42eb74caaf221d42ea5d77dc99492e9b5c9d20818bce081a12685b3a3a7e2f5025416d36f07ea76a6374

            Download Submit

          • memory/1784-39-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1784-78-0x0000000000400000-0x00000000004EE000-memory.dmp

            Filesize

            952KB

            Download

          • memory/1784-37-0x0000000000400000-0x00000000004EE000-memory.dmp

            Filesize

            952KB

            Download

          • memory/1784-89-0x0000000000400000-0x00000000004EE000-memory.dmp

            Filesize

            952KB

            Download

          • memory/1784-80-0x00000000001B0000-0x00000000001B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1784-38-0x0000000000400000-0x00000000004EE000-memory.dmp

            Filesize

            952KB

            Download

          • memory/1784-79-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1784-40-0x00000000001B0000-0x00000000001B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2644-2-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2644-35-0x0000000000400000-0x00000000004EE000-memory.dmp

            Filesize

            952KB

            Download

          • memory/2644-36-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2644-0-0x0000000000400000-0x00000000004EE000-memory.dmp

            Filesize

            952KB

            Download

          • memory/2644-45-0x0000000000400000-0x00000000004EE000-memory.dmp

            Filesize

            952KB

            Download

          • memory/2644-1-0x0000000000400000-0x00000000004EE000-memory.dmp

            Filesize

            952KB

            Download

          • memory/2848-82-0x0000000000400000-0x00000000004EE000-memory.dmp

            Filesize

            952KB

            Download

          • memory/2848-83-0x00000000001B0000-0x00000000001B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2848-81-0x0000000000400000-0x00000000004EE000-memory.dmp

            Filesize

            952KB

            Download

          • memory/2848-84-0x0000000000220000-0x0000000000221000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2848-122-0x0000000000400000-0x00000000004EE000-memory.dmp

            Filesize

            952KB

            Download

          • memory/2848-123-0x0000000000220000-0x0000000000221000-memory.dmp

            Filesize

            4KB

            Download