Resubmissions

24-06-2024 13:27

240624-qqbq2sthna 10

06-04-2024 12:50

240406-p2yvaabc36 10

Analysis

  • max time kernel
    120s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06-04-2024 12:50

General

  • Target

    6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe

  • Size

    145KB

  • MD5

    c00352e2857075c8f757ea9be769b652

  • SHA1

    2a100aa5902ba6f9f35187117182afabf220071b

  • SHA256

    6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c

  • SHA512

    94d7e90ebd6b1d37daa43617a345c463d59096903a55621ff3eb490179411cb7bb58f75bb396a5d2b8720701833dc623ddfb259ad35c0716703a8e4bc66018ad

  • SSDEEP

    3072:m6glyuxE4GsUPnliByocWepbN3/1rtqd:m6gDBGpvEByocWeFN3/F8

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe
    "C:\Users\Admin\AppData\Local\Temp\6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\ProgramData\FC1A.tmp
      "C:\ProgramData\FC1A.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\FC1A.tmp >> NUL
        3⤵
          PID:2028
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x154
      1⤵
        PID:1536

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini

        Filesize

        129B

        MD5

        a36f1b025628080831d454153253da12

        SHA1

        c137613386b4ba5749b6438e32c61150e11f09e5

        SHA256

        3f8b1358ca1a6ebd9fb6a943dd211a167c8769ad7551bdee34e8e0e2653cf399

        SHA512

        6b37b26f5218ccfbb7e3cae885790de309a54e61931fa16f4f33a0c5130dcef61c8f98cf7ec2d8cba9c31c7288a94cf3b34903f1ba513a33595eed880e6bcac8

      • C:\ProgramData\FC1A.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

        Filesize

        145KB

        MD5

        b26f31d3a1ff401b82ca8205a8f463a4

        SHA1

        9fa5c966e3e51d9a11952c099cdb04bfe8fdca29

        SHA256

        1fcbf1246652bff7f81908aecb7a54eb235f8061f9604454f7502306be3362ec

        SHA512

        d6adbd8911c9f9f460b71c05ce4bb971be6fd12368589c0f41766f513d710cd175e77c449c2a34c85ef21df611f1ba6e40d5ff07ac0962f7cbb6698288c12888

      • F:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        657d258742254d9aa319159dfb723c26

        SHA1

        e797f9a45c15ac53f3e2eec237262237d864a117

        SHA256

        4d783eb142295051cef357f642352dcb521e09cde24056ed814d49758e888a32

        SHA512

        230fb8e1a4a0fa5ad4066a1a5d178648266ee527d8a4c094718d0ead7cb5aeead6b541bcae3053fe2ec6f22fdcc5242881690983e9833366e98cd7ece2a8d5c3

      • memory/1900-108-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

      • memory/1900-110-0x0000000000320000-0x0000000000360000-memory.dmp

        Filesize

        256KB

      • memory/1900-115-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

      • memory/1900-113-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

      • memory/1900-111-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

      • memory/1900-142-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

      • memory/1900-143-0x000000007EF60000-0x000000007EF61000-memory.dmp

        Filesize

        4KB

      • memory/1900-144-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

      • memory/2144-0-0x0000000000270000-0x00000000002B0000-memory.dmp

        Filesize

        256KB