Analysis

  • max time kernel
    14s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2024 15:08

Errors

Reason
Machine shutdown

General

  • Target

    dbedeb6bcf5a905fc9cd3159ecb486a9.exe

  • Size

    244KB

  • MD5

    dbedeb6bcf5a905fc9cd3159ecb486a9

  • SHA1

    48752df112bb4512bc7d2a94eb559278e8c6649d

  • SHA256

    bdc2a05298d45a6eb8383aaa9cdfbc1bdfbd6709d31beee4f67d20820cac626b

  • SHA512

    35ef0965f671232fb7713c723f1f7a3a905c67f51bd00e8de28cbb098d8ef9f71eb0f023033b35ad0098d35ad569e481d596858a3aaf8760e3e103c6906c2ab0

  • SSDEEP

    6144:TLlRodPmZd7T5hmu3eqK2iV2K0mFkfLKi8R+ntnV4:1Rod+Zd7n3O/V2K0mFkfmiA0nV4

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 4 IoCs
  • Modifies data under HKEY_USERS 49 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dbedeb6bcf5a905fc9cd3159ecb486a9.exe
    "C:\Users\Admin\AppData\Local\Temp\dbedeb6bcf5a905fc9cd3159ecb486a9.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Users\Admin\AppData\Local\Temp\ipw.exe
      "C:\Users\Admin\AppData\Local\Temp\ipw.exe"
      2⤵
      • Sets DLL path for service in the registry
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2892
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2512
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2720
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2216

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\fsutk.dll

        Filesize

        116KB

        MD5

        be0b4f5b0c11cc5f7b9acaa23f0ca443

        SHA1

        cf99197f1ae49e5ffc35c81b0b0603640d9b0b1a

        SHA256

        70601bb1cbf48a6bd507310ed0f6d21c873c1a320784cbbd82d23d60d3c5f234

        SHA512

        9829c1e6f4dd748bdad6d6a9015c25f601c3ec1a82e00fa791cae09ade6ebc0e2a09ff4bc14cb43857a7ce35807a73f08de7a27519fb04fce80c8dbfef56f52e

      • \??\c:\$Recycle.bin\int.dat

        Filesize

        220KB

        MD5

        4f69d71a0568508730966bdd39b95c95

        SHA1

        878ea7d895ba421cca8bfae1c71698009a847d74

        SHA256

        02b4e1d03e2064b0ebdd4d95cee3287f0d4dc69f373554eadd824c6d3df40331

        SHA512

        d04dfae26f44647636acc087dfb6cd9db479743663db970fa5764b844f98052a549f4614a358a820acc55df75cae3ede9bca4865f739106ab6e501568a16ae99

      • \??\c:\windows\SysWOW64\liprip.dll

        Filesize

        84KB

        MD5

        e942a0f126a283ac5305993d0be0b8f4

        SHA1

        ab77366093838f10879bcab3e7fd0f71ef75afd8

        SHA256

        a4acc2d63fb7f6cd12211a57541f11d391f02cd9ed6ef003d35160d3c6e05104

        SHA512

        7f5155d4b93c1c146c3b19e9a7d6d318d8d827a3d30e41a69ab1edb39670bb4bcf174c3b7ec603c1cd3cbbee6923c30c1f458968a735d1d8cfcd039ed9f51a74

      • \Users\Admin\AppData\Local\Temp\ipw.exe

        Filesize

        20KB

        MD5

        f417997432de8f500c7b3e86a3defcc7

        SHA1

        8450126b476688e10dcaec5ca6e4b036929160ed

        SHA256

        599a8a9acae1ddb98e3bd096256dcabc2b620059bd4d1e968b0424dbc9b97f1a

        SHA512

        77f4718bf308680f3f049437a57c4e1603b3d3ce38d51c5c60fd1b7511aedd9175aae207db1911f903365686e8d7d9be457ae0095bb48bb2f5ea9841cb99ddc7

      • memory/2216-134-0x0000000002B30000-0x0000000002B31000-memory.dmp

        Filesize

        4KB

      • memory/2512-18-0x00000000000A0000-0x00000000000C0000-memory.dmp

        Filesize

        128KB

      • memory/2720-79-0x0000000002E90000-0x0000000002E91000-memory.dmp

        Filesize

        4KB