Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 05:52
Static task
static1
Behavioral task
behavioral1
Sample
c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe
Resource
win10v2004-20240412-en
General
-
Target
c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe
-
Size
1.8MB
-
MD5
69359444b4d6c20a5d35760c4e398e72
-
SHA1
b18cafef685055e4bdbe34a090d0cf11028b5d86
-
SHA256
c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61
-
SHA512
eec44f156cfd811b638c85da9a5c5b2f03d3e3ec621e4229cf7d2361e72296e23e1dd5f4a0d78ab02ce390e70aae54c068cbf3b491120d671069098c26342070
-
SSDEEP
24576:VhQYeEDa/vWCcFbPzvTtfO6BgCf5ekB1ovK+am89fnK4X9ZNYd1MV1FdKD1vWk+p:VS0k69FXpKD1LpIYDrcp2fS/XTl
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
fdp.exepid process 1996 fdp.exe -
Loads dropped DLL 2 IoCs
Processes:
c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exepid process 2200 c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe 2200 c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exepid process 2200 c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exedescription pid process target process PID 2200 wrote to memory of 2116 2200 c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe cmd.exe PID 2200 wrote to memory of 2116 2200 c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe cmd.exe PID 2200 wrote to memory of 2116 2200 c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe cmd.exe PID 2200 wrote to memory of 2116 2200 c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe cmd.exe PID 2200 wrote to memory of 1996 2200 c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe fdp.exe PID 2200 wrote to memory of 1996 2200 c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe fdp.exe PID 2200 wrote to memory of 1996 2200 c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe fdp.exe PID 2200 wrote to memory of 1996 2200 c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe fdp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe"C:\Users\Admin\AppData\Local\Temp\c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd " /c " C:\Users\Admin\AppData\Local\Temp\中国计量大学现代科技学院关于10月9日施行临时封闭管理措施(1).docx2⤵
-
C:\Users\Public\fdp.exeC:\Users\Public\fdp.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\fdp.exeFilesize
19KB
MD585ca4c24b93dde56321e62ce71aa8bb2
SHA14eab75f775686e0bc73227158a1efa432aa462e9
SHA256d477d9fdfd2da88396a21f277c066635d34c6ed17c570b740364d7e04d3618eb
SHA512135775dab2dd24b345e33ac6a026e72d8b37b63a2f4156921c8995dd5e1cf2a8219571f29de4ded832d4d4cc8a6235449f962e797065ad6094ba1b622eb5aec6
-
memory/1996-9-0x000000013F790000-0x000000013F798000-memory.dmpFilesize
32KB
-
memory/2200-3-0x0000000000690000-0x0000000000698000-memory.dmpFilesize
32KB
-
memory/2200-10-0x0000000000690000-0x0000000000698000-memory.dmpFilesize
32KB