Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 12:00
Static task
static1
Behavioral task
behavioral1
Sample
8cf4f02d6d97813310c7778bac555d00f4eab8b4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8cf4f02d6d97813310c7778bac555d00f4eab8b4.exe
Resource
win10v2004-20240226-en
General
-
Target
8cf4f02d6d97813310c7778bac555d00f4eab8b4.exe
-
Size
370KB
-
MD5
c2c6ca7a9dea1fc9708b57d3ae1d9bc7
-
SHA1
8cf4f02d6d97813310c7778bac555d00f4eab8b4
-
SHA256
b53a20869d2145b135c61cb1fbe5b027f47e2cff1f3dbcf2aa4284ad982b581b
-
SHA512
5aa6455f821c5651e8038ad98922c11ed3a2bb476e10ca7680acbeb7a750f3f3d7628cf888d1159dd31ffaca5fde46a951068f1cdf56afa0c0437e0ec0debf75
-
SSDEEP
6144:rsCwu+mWhJifvtNP/7YXSLB80PcfnMhR3peeYmC6Inht5t:AxmIJQvPkitaIR3pmEInht3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2548 GPS_ServicePack.exe -
Loads dropped DLL 5 IoCs
pid Process 2772 8cf4f02d6d97813310c7778bac555d00f4eab8b4.exe 2772 8cf4f02d6d97813310c7778bac555d00f4eab8b4.exe 2772 8cf4f02d6d97813310c7778bac555d00f4eab8b4.exe 2772 8cf4f02d6d97813310c7778bac555d00f4eab8b4.exe 2772 8cf4f02d6d97813310c7778bac555d00f4eab8b4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main 8cf4f02d6d97813310c7778bac555d00f4eab8b4.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2772 8cf4f02d6d97813310c7778bac555d00f4eab8b4.exe 2772 8cf4f02d6d97813310c7778bac555d00f4eab8b4.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2548 2772 8cf4f02d6d97813310c7778bac555d00f4eab8b4.exe 28 PID 2772 wrote to memory of 2548 2772 8cf4f02d6d97813310c7778bac555d00f4eab8b4.exe 28 PID 2772 wrote to memory of 2548 2772 8cf4f02d6d97813310c7778bac555d00f4eab8b4.exe 28 PID 2772 wrote to memory of 2548 2772 8cf4f02d6d97813310c7778bac555d00f4eab8b4.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cf4f02d6d97813310c7778bac555d00f4eab8b4.exe"C:\Users\Admin\AppData\Local\Temp\8cf4f02d6d97813310c7778bac555d00f4eab8b4.exe"1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\GPS-1688\GPS_ServicePack.exe"C:\Users\Admin\AppData\Local\Temp\GPS-1688\GPS_ServicePack.exe"2⤵
- Executes dropped EXE
PID:2548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
246B
MD56583e082bc147c12331ae49dce7e1268
SHA18be14590b5f23fd73373b3bfed1d21cf88fe4e5d
SHA2566c00c4063f1b87c046bd34c05030cd790debabbccda11aa21d8dfd30ada520a6
SHA51267e63b9a46842392127d006e578cb16f8238ec9f6952e74752a46b61004c4932cd50a357a280328cb7630d706b257c8b63aa8060db44b544cdda846dcc5bfb49
-
Filesize
241KB
MD509bfec3c1327db1dc47d29ba857277e2
SHA1af946352e3f5e48f9c4b4dcd059ff45bb75df881
SHA256847c58bd3df8277d2a00541dc014c3b026961f5f3a247dcf7e2bc28b2c32ddcb
SHA512ec4ce365b4d6e13385f60d83cff95d0c543acbf269b08696c50f17fe17b4451a1e97374867f80d76373274fafeb3756dc3aad66bdd2f32b15a9b7fa1adc0d0d0