Overview

overview

10

Static

static

3

1d3d325b62...9b.exe

windows7-x64

10

1d3d325b62...9b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2024 02:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d3d325b621524c2d277f8e9cd3b50869c2c29a34d1f3bba2535c82ce6eff49b.exe

  • Size

    5.5MB

  • MD5

    4af2e6a8be2b1862e2e1fb834da6a927

  • SHA1

    cb01022fa8b4884e17cfc26b2320d166058c5e99

  • SHA256

    1d3d325b621524c2d277f8e9cd3b50869c2c29a34d1f3bba2535c82ce6eff49b

  • SHA512

    b174b4fb021930b2515236876e1145dd585c7a40949cd6647c0cb88e6efd20382926d6bbae686f5b0b94610c4b47e40293f4452d408ee34403a8093ffecc81ce

  • SSDEEP

    24576:RFVmFF1UBOW6UWaPXiWdLSvwboQyzcQWQatx50PcL+J0qTIPwPyUCZv9F8JissLs:7Dxww8uX2FjHCdl+hnCqimL47JAl

Score
7/10
execution

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d3d325b621524c2d277f8e9cd3b50869c2c29a34d1f3bba2535c82ce6eff49b.exe
    "C:\Users\Admin\AppData\Local\Temp\1d3d325b621524c2d277f8e9cd3b50869c2c29a34d1f3bba2535c82ce6eff49b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:212
    • \??\c:\st\Autoit3.exe
      "c:\st\Autoit3.exe" c:\st\script.a3x
      2⤵
      • Executes dropped EXE
      • Command and Scripting Interpreter: AutoIT
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:888
      • \??\c:\windows\SysWOW64\cmd.exe
        "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\bdhfffd\aghhfdf
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic ComputerSystem get domain
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\bdhfffd\aghhfdf
    Filesize

    54B

    MD5

    c8bbad190eaaa9755c8dfb1573984d81

    SHA1

    17ad91294403223fde66f687450545a2bad72af5

    SHA256

    7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

    SHA512

    05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

    Download Submit

  • C:\st\Autoit3.exe
    Filesize

    128KB

    MD5

    5de419f89025ec79495d1815f331a4dc

    SHA1

    ff1165ebd796ba40063b8a2693ac5b4f67aa28e3

    SHA256

    49dda37ef4ff129d2cf2cfe0612bc285f8eb0150a0b1e08b7c6af03cc0a367c7

    SHA512

    5b7f019921aaae24d7f4af1c9e846ec6362cffd61813470d5fc37f2ed1aeccebd02e24258418e1ffb32d79365db6517d30a75d0055a8584037f9f937b1c5e0fa

    Download Submit

  • \??\c:\st\script.a3x
    Filesize

    128KB

    MD5

    459f787d88aac14c999a80eb8ea2d38f

    SHA1

    939996db290d4b2aba35547b738d3b486978fdf6

    SHA256

    d9ebd880ec387e36f30d9577d2f67a7f7fbdadd02b2d3ae6cb32b071ff820cc9

    SHA512

    1f8cb561288a388ec8f1d8d42e9d050ae201ab31b99a7cf251dff467553aec09665ebba405d07798974a47deed05170adc94708ca054257d08f1cd548311aa54

    Download Submit

  • memory/212-6-0x0000000001A00000-0x0000000001B72000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/212-2-0x0000000001A00000-0x0000000001B72000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/212-0-0x0000000001870000-0x00000000019F3000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/888-10-0x0000000000D70000-0x0000000001170000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/888-11-0x0000000003C90000-0x0000000004010000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/888-14-0x0000000003C90000-0x0000000004010000-memory.dmp

    Filesize

    3.5MB

    Download