502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9

Resubmissions

14-06-2024 02:07

240614-ckfads1fng 8

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
06-06-2024 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9.exe
Size

4.7MB
MD5

ff0e34e6de60f85ced4c5b0c03439827
SHA1

a92625e7ef73e246b881cec734f93419d27339e2
SHA256

502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9
SHA512

febe06223e8b666a4fe9e9824a8362396bb208cb1e674fbad4c3e240a56e5901e7025c34a45f0ab07c690d4e0f644044b17f0933d591d33d4e9c8dfb4579c647
SSDEEP

98304:UCAv36FrjVzR9ymXUsRQrQZNSg7p4l+UWs4Xp7sKO+urmddl0T:hAvKd4mXoQZNS2Q1ep7Q+FK

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3044	powershell.exe

Deletes itself 1 IoCs

pid	Process
2476	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2156	3A9.installer.tmp

Loads dropped DLL 5 IoCs

pid	Process
1344	rundll32.exe
1344	rundll32.exe
1344	rundll32.exe
1344	rundll32.exe
1344	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2156	3A9.installer.tmp
2156	3A9.installer.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1344 set thread context of 2156	1344	rundll32.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3044	powershell.exe
2156	3A9.installer.tmp
2156	3A9.installer.tmp
2156	3A9.installer.tmp
2156	3A9.installer.tmp
2156	3A9.installer.tmp
2156	3A9.installer.tmp
2156	3A9.installer.tmp
2156	3A9.installer.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1344	1988	502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9.exe	28
PID 1988 wrote to memory of 1344	1988	502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9.exe	28
PID 1988 wrote to memory of 1344	1988	502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9.exe	28
PID 1344 wrote to memory of 3044	1344	rundll32.exe	29
PID 1344 wrote to memory of 3044	1344	rundll32.exe	29
PID 1344 wrote to memory of 3044	1344	rundll32.exe	29
PID 1344 wrote to memory of 2156	1344	rundll32.exe	31
PID 1344 wrote to memory of 2156	1344	rundll32.exe	31
PID 1344 wrote to memory of 2156	1344	rundll32.exe	31
PID 1344 wrote to memory of 2156	1344	rundll32.exe	31
PID 1344 wrote to memory of 2156	1344	rundll32.exe	31
PID 1344 wrote to memory of 2156	1344	rundll32.exe	31
PID 1344 wrote to memory of 2156	1344	rundll32.exe	31
PID 1344 wrote to memory of 2156	1344	rundll32.exe	31
PID 1344 wrote to memory of 2156	1344	rundll32.exe	31
PID 1344 wrote to memory of 2156	1344	rundll32.exe	31
PID 1344 wrote to memory of 2156	1344	rundll32.exe	31
PID 1344 wrote to memory of 2156	1344	rundll32.exe	31
PID 1344 wrote to memory of 2156	1344	rundll32.exe	31
PID 1344 wrote to memory of 2156	1344	rundll32.exe	31
PID 1344 wrote to memory of 2156	1344	rundll32.exe	31
PID 1344 wrote to memory of 2156	1344	rundll32.exe	31
PID 1344 wrote to memory of 2156	1344	rundll32.exe	31
PID 1988 wrote to memory of 2476	1988	502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9.exe	32
PID 1988 wrote to memory of 2476	1988	502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9.exe	32
PID 1988 wrote to memory of 2476	1988	502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9.exe	32
PID 2156 wrote to memory of 2148	2156	3A9.installer.tmp	35
PID 2156 wrote to memory of 2148	2156	3A9.installer.tmp	35
PID 2156 wrote to memory of 2148	2156	3A9.installer.tmp	35
PID 2156 wrote to memory of 2148	2156	3A9.installer.tmp	35

C:\Users\Admin\AppData\Local\Temp\502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9.exe
"C:\Users\Admin\AppData\Local\Temp\502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" installer.dll,tmp
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- - \??\c:\Users\Admin\AppData\Local\Temp\3A9.installer.tmp
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\system32\dllhost.exe
      dllhost.exe
      4⤵
      PID:2148
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  - Deletes itself
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
646f83251a5c2b3864d289e231906349

SHA1
a66231936a97769659e00a378b2276e0d6e46bf2

SHA256
985d829096fffca105ba76e27bd89dd3823667d2db85b5201fb217401b309013

SHA512
322aa3c3f57fa72b55a366fb0091e3b0a547826006fa113edfe383086747029412bc6cba33672436ed449f43d9ef203faeb3aa98cbe271f27468f27b9dd291d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.dll

Filesize
23.7MB

MD5
7c5edad99ef4a4ce602e48dcac4c084a

SHA1
99ee62c5819005bdd25f66548c5220b3db6cab44

SHA256
719558c1c3c1322c5d2772168503f33bed5a7b4a0ec86639cf72ea013d82d23d

SHA512
c4d87e960e718763de5872e2d89a4cb63de70e4ddccaccde11d1c4299df1b2a5cf1070757288a49ce88b47037d7122f26889c601335a4351a0df87456c2c17e6

Download Submit
\Users\Admin\AppData\Local\Temp\3A9.installer.tmp

Filesize
1KB

MD5
86e26f7658c514baf3453610fafaf5df

SHA1
c3a50912b49eabb6356fbd34166937ca3097751e

SHA256
8a0182e016458b847d5b9504db227b70d79398bba2fc962e6cab117eb151315e

SHA512
c4dce4e127ae0fad24d6105a490db276e1dbf141e5c2ff3c350dddb01a8225f15fb33a9fcc697ccb928c239bfcb638fd004f59266628a194c79af50d6863dc78

Download Submit
memory/1344-8-0x000007FEF5870000-0x000007FEF5A2D000-memory.dmp

Filesize
1.7MB

Download
memory/1344-38-0x0000000140000000-0x0000000141045000-memory.dmp

Filesize
16.3MB

Download
memory/1344-7-0x000007FEF63F0000-0x000007FEF65AD000-memory.dmp

Filesize
1.7MB

Download
memory/1344-10-0x0000000076D41000-0x0000000076D42000-memory.dmp

Filesize
4KB

Download
memory/1344-11-0x0000000076CF0000-0x0000000076E99000-memory.dmp

Filesize
1.7MB

Download
memory/1344-42-0x0000000140000000-0x0000000141045000-memory.dmp

Filesize
16.3MB

Download
memory/1344-25-0x0000000140000000-0x0000000141045000-memory.dmp

Filesize
16.3MB

Download
memory/1344-33-0x0000000076CF0000-0x0000000076E99000-memory.dmp

Filesize
1.7MB

Download
memory/1344-9-0x000007FEF63F0000-0x000007FEF65AD000-memory.dmp

Filesize
1.7MB

Download
memory/2148-59-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2148-56-0x0000000000050000-0x0000000000058000-memory.dmp

Filesize
32KB

Download
memory/2156-30-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2156-40-0x0000000140000000-0x0000000141045000-memory.dmp

Filesize
16.3MB

Download
memory/2156-13-0x0000000000830000-0x00000000008D4000-memory.dmp

Filesize
656KB

Download
memory/2156-15-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2156-53-0x0000000140000000-0x0000000141045000-memory.dmp

Filesize
16.3MB

Download
memory/2156-54-0x0000000140000000-0x0000000141045000-memory.dmp

Filesize
16.3MB

Download
memory/2156-55-0x0000000076CF0000-0x0000000076E99000-memory.dmp

Filesize
1.7MB

Download
memory/2156-58-0x0000000140000000-0x0000000141045000-memory.dmp

Filesize
16.3MB

Download
memory/2156-34-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp

Filesize
4KB

Download
memory/3044-41-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/3044-43-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download