Overview

overview

7

Static

static

3

31de997cdc...d3.exe

windows7-x64

7

31de997cdc...d3.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 20:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe

  • Size

    2.0MB

  • MD5

    d133f4968bf0cfcf2c3e94862eaa41b7

  • SHA1

    a4460e274eaa3d462aeeb530972ecc7b9d5f7844

  • SHA256

    31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3

  • SHA512

    76be7bba7de2a267ad0ac01f815a683009ed87193d2db053e0dcaaf0c6a6d9b7681fb41a34267bef796f55ccd5d3fd51e1dcd0976a7d0a71846dd25d1bf9d6ea

  • SSDEEP

    49152:h8YqH4O8b8ITDnlIfeEXGF+6z8zmqtqCK3RTeyay+hviOZ8afQf2PynL:qDVrw+6zEmqtqCKkT6OWL

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
    "C:\Users\Admin\AppData\Local\Temp\31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1308
    • \??\c:\program files (x86)\reference assemblies\microsoft\framework\v3.5\es\resourcesframework.exe
      "c:\program files (x86)\reference assemblies\microsoft\framework\v3.5\es\resourcesframework.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:904
    • \??\c:\program files (x86)\common files\system\msadc\windowsmsadcfr.exe
      "c:\program files (x86)\common files\system\msadc\windowsmsadcfr.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:3052
    • \??\c:\program files (x86)\common files\microsoft shared\msinfo\de-de\msinfowindows.exe
      "c:\program files (x86)\common files\microsoft shared\msinfo\de-de\msinfowindows.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:3048
    • \??\c:\program files (x86)\microsoft office\office14\microsoftinfopath.exe
      "c:\program files (x86)\microsoft office\office14\microsoftinfopath.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqloledbOperating.exe
    Filesize

    2.0MB

    MD5

    333927962b3e6c7834cf6cfc74ba4178

    SHA1

    cb7cbc372969c76593629feee34e0f26b0904763

    SHA256

    b53d4dab35f44ab7fb282b8b0f3bb784bbfab7b7b939073dd68c82ed6b50b0b2

    SHA512

    44a5593600ad7aca91ad9fbfdf41ea5fc33125358bf6b1dfcb6ae70a9a8de7b0bbd891f6925e8a8e2498da8da7815720c7901a6e65b13f7e383ab2d30ae0a0b5

    Download Submit

  • C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\RCXC2F6.tmp
    Filesize

    2.0MB

    MD5

    a6b54171a978ee9a0daf5f1eb7723cb8

    SHA1

    a524b83a96e744a2d46308374fc5f63d0fd19ff2

    SHA256

    a8082c8f97a10539e1aed864f0b36570f13731f11746af2d48124e1d5dc0034e

    SHA512

    fd9526e26683c01af05ca3861b778779191981514a7b1b84abb89bbb119493c53ddf2f92968da949a34b6ac7e1080f5f6db2f897f9fd490b5daa14da85d4ce69

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\MicrosoftInfoPath.exe
    Filesize

    2.5MB

    MD5

    3172bd384d4191d3175ee2e05196ca41

    SHA1

    6e38500f3f32bd9b08eb3e24a9597d02cff9129b

    SHA256

    4e434fdc7e86915517693c9e1c5832570ca7206ec99623bfcd0c5871329ee068

    SHA512

    07ed7ac573db65783c3b0f09379b6ca5ad8c94f53126a6d44679a1095a0fa8e46c53122b3b4901409e6860db2c9eaf779f9d70cc3e62e34cdcfcbc1d7190f9db

    Download Submit

  • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\resourcesFramework.exe
    Filesize

    2.0MB

    MD5

    d133f4968bf0cfcf2c3e94862eaa41b7

    SHA1

    a4460e274eaa3d462aeeb530972ecc7b9d5f7844

    SHA256

    31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3

    SHA512

    76be7bba7de2a267ad0ac01f815a683009ed87193d2db053e0dcaaf0c6a6d9b7681fb41a34267bef796f55ccd5d3fd51e1dcd0976a7d0a71846dd25d1bf9d6ea

    Download Submit