Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19-03-2024 12:40
Behavioral task
behavioral1
Sample
d623eb8c5e903b686640520b4fc875c9.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
d623eb8c5e903b686640520b4fc875c9.exe
Resource
win10v2004-20240226-en
General
-
Target
d623eb8c5e903b686640520b4fc875c9.exe
-
Size
13KB
-
MD5
d623eb8c5e903b686640520b4fc875c9
-
SHA1
5fe3d6cbfa4cc4b829338416672a64ab6084b98e
-
SHA256
d2d8182f10614eca1b408614c5f6bfdf0fd4dd9afe8f6629b4df6619b443710d
-
SHA512
a16c9620c400f909bd8741057720eab0db96ce4df4bbb734ab9b425b3bdc6c81d07916f972a02900617ae1a3bb69f0e500ca2dc90f35092a362335a605a253ee
-
SSDEEP
384:cURsec4iMkbV0Hmo73lRbc9CgoAIOEwF7ftUbt7U+:cyfc4iM2VSmsw8Z+ftY
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Deletes itself 1 IoCs
pid Process 2648 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2956 qensngk.exe -
Loads dropped DLL 2 IoCs
pid Process 2040 d623eb8c5e903b686640520b4fc875c9.exe 2040 d623eb8c5e903b686640520b4fc875c9.exe -
resource yara_rule behavioral1/memory/2040-1-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/files/0x000c000000014890-3.dat upx behavioral1/memory/2040-4-0x0000000000220000-0x000000000022F000-memory.dmp upx behavioral1/memory/2956-12-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2040-20-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\qensng.dll d623eb8c5e903b686640520b4fc875c9.exe File created C:\Windows\SysWOW64\qensngk.exe d623eb8c5e903b686640520b4fc875c9.exe File opened for modification C:\Windows\SysWOW64\qensngk.exe d623eb8c5e903b686640520b4fc875c9.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2040 wrote to memory of 2956 2040 d623eb8c5e903b686640520b4fc875c9.exe 28 PID 2040 wrote to memory of 2956 2040 d623eb8c5e903b686640520b4fc875c9.exe 28 PID 2040 wrote to memory of 2956 2040 d623eb8c5e903b686640520b4fc875c9.exe 28 PID 2040 wrote to memory of 2956 2040 d623eb8c5e903b686640520b4fc875c9.exe 28 PID 2040 wrote to memory of 2648 2040 d623eb8c5e903b686640520b4fc875c9.exe 29 PID 2040 wrote to memory of 2648 2040 d623eb8c5e903b686640520b4fc875c9.exe 29 PID 2040 wrote to memory of 2648 2040 d623eb8c5e903b686640520b4fc875c9.exe 29 PID 2040 wrote to memory of 2648 2040 d623eb8c5e903b686640520b4fc875c9.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d623eb8c5e903b686640520b4fc875c9.exe"C:\Users\Admin\AppData\Local\Temp\d623eb8c5e903b686640520b4fc875c9.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\qensngk.exeC:\Windows\system32\qensngk.exe t!2⤵
- Executes dropped EXE
PID:2956
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\d623eb8c5e903b686640520b4fc875c9.exe.bat2⤵
- Deletes itself
PID:2648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD5fa20a027a816353c43ada0f41c4257f4
SHA1d537c9b9820e282f3f43660ddf641f7ef7a10676
SHA256b62bc71790fb87dfe714f6655ba63b04e74ed16184fe70926f57dd66535ebbd5
SHA512c0b197bca2d1d4e67af82439e10d1358012967b1981a2d3bd2389082580291775c77020b4847b38e059ce03922362d7cefda327ead00f1094e959c8184fd08a2
-
Filesize
13KB
MD5d623eb8c5e903b686640520b4fc875c9
SHA15fe3d6cbfa4cc4b829338416672a64ab6084b98e
SHA256d2d8182f10614eca1b408614c5f6bfdf0fd4dd9afe8f6629b4df6619b443710d
SHA512a16c9620c400f909bd8741057720eab0db96ce4df4bbb734ab9b425b3bdc6c81d07916f972a02900617ae1a3bb69f0e500ca2dc90f35092a362335a605a253ee