Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 22:58
Behavioral task
behavioral1
Sample
67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe
Resource
win10v2004-20240508-en
General
-
Target
67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe
-
Size
137KB
-
MD5
54e8417561e9010089f3932f1e9e29a9
-
SHA1
7e235a8cd0d6be7b79f27df500d11b30992b0d6f
-
SHA256
67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae
-
SHA512
288494de4d03c63e223c9cddec12de430f2b5d35652bc72f90fba3ebdcb558225de86e051b5bd0a0d2f5e31704b033398bbd2d8592df092cd7f24282cac6b212
-
SSDEEP
3072:AE9ByF5wP7Ht99mbaa+vKAzWvSVJSwpi6Dse:7907wTr9mea+i6WKQ2
Malware Config
Signatures
-
Detects executables packed with ASPack 5 IoCs
resource yara_rule behavioral1/memory/1924-2-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/1924-1-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/1924-0-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0037000000016c26-7.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/2140-11-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack -
Modifies AppInit DLL entries 2 TTPs
-
resource yara_rule behavioral1/files/0x0037000000016c26-7.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2140 dbilzqh.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\dbilzqh.exe 67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe File created C:\PROGRA~3\Mozilla\zxoabnc.dll dbilzqh.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1924 67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe 2140 dbilzqh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2140 2756 taskeng.exe 29 PID 2756 wrote to memory of 2140 2756 taskeng.exe 29 PID 2756 wrote to memory of 2140 2756 taskeng.exe 29 PID 2756 wrote to memory of 2140 2756 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe"C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1924
-
C:\Windows\system32\taskeng.exetaskeng.exe {964F5C60-9C9F-4CD4-9B5B-0337396C44B7} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\PROGRA~3\Mozilla\dbilzqh.exeC:\PROGRA~3\Mozilla\dbilzqh.exe -kwinamg2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD58346cff904bddb28c9c135287ea00fa6
SHA1e480fce63d9ed52ec6105de6387333a07033224b
SHA2563c4addbb4b022a444dd1256471f77c15090dd1d138a25147d66ee32b2e5fd69b
SHA512b4d5cc3051bca0db26772cb30799d50b0ad0cde44ad0763089702aadb7154d94252347b28b05b1e746e32bddb4cb69e91fba9104bf740e71a34622e454c64252