Overview

overview

7

Static

static

3

53501f1226...1f.exe

windows7-x64

7

53501f1226...1f.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    142s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 01:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

  • Size

    573KB

  • MD5

    b07b3994ad66a39937d9081eb64cd5f5

  • SHA1

    3fffe0fb2721f440909f99c5cb74d1d556ac45bb

  • SHA256

    53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f

  • SHA512

    43c7d08528c57467054c69c7d2b007662f618604abb465d92b1118dff290d0cb0bc8b2458ef35ae93fbc4d4b2f5527c298c350fc7743a21eacd548bd5f02d6e5

  • SSDEEP

    6144:KcBvWsKG0/FZuK1JnKr4AlEhZmqUH1o0TLIaGWDwiyPAw9RyJqIZRSNQABuX+rVy:nKFZ1exehZmNHKyrwLpaJlZrf+r0

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
    "C:\Users\Admin\AppData\Local\Temp\53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Users\Admin\AppData\Local\Temp\53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
      "C:\Users\Admin\AppData\Local\Temp\53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 68
        3⤵
        • Program crash
        PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nst705.tmp\System.dll
    Filesize

    12KB

    MD5

    12b140583e3273ee1f65016becea58c4

    SHA1

    92df24d11797fefd2e1f8d29be9dfd67c56c1ada

    SHA256

    014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042

    SHA512

    49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

    Download Submit
  • memory/1568-13-0x00000000772B1000-0x00000000773B2000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1568-14-0x00000000772B0000-0x0000000077459000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2104-15-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2104-16-0x00000000772B0000-0x0000000077459000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2104-17-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2104-39-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2104-41-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2104-40-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2104-42-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2104-43-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2104-44-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download