Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe
Resource
win10v2004-20240226-en
General
-
Target
35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe
-
Size
832KB
-
MD5
624287a4c65dc15c11448ab9a18b197d
-
SHA1
985e68377849c429f8408863ae67850827cf7fa0
-
SHA256
35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040
-
SHA512
ae16afa727451cb17795d83b74eec5c1f84681852eedd5970306837ec41cba4f6c881c130215e478d53aa87e3b310bb9854d000008e5dd69c7d60f3b5a5c7a66
-
SSDEEP
24576:1Mm5SH6MIl3LkGDhsmD/U0UN/qiCggCTYRL:1Mm5Lnl7kSU1yijXMRL
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bets.exepid process 1036 bets.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2612 cmd.exe 2612 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\bets = "C:\\Users\\Admin\\AppData\\Roaming\\bets.exe" reg.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 2504 PING.EXE 2672 PING.EXE 3044 PING.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exepid process 2112 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 2112 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 2112 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 2112 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 2112 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 2112 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exebets.exedescription pid process Token: SeDebugPrivilege 2112 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe Token: SeDebugPrivilege 1036 bets.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.execmd.execmd.exedescription pid process target process PID 2112 wrote to memory of 2256 2112 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe cmd.exe PID 2112 wrote to memory of 2256 2112 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe cmd.exe PID 2112 wrote to memory of 2256 2112 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe cmd.exe PID 2112 wrote to memory of 2256 2112 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe cmd.exe PID 2256 wrote to memory of 2672 2256 cmd.exe PING.EXE PID 2256 wrote to memory of 2672 2256 cmd.exe PING.EXE PID 2256 wrote to memory of 2672 2256 cmd.exe PING.EXE PID 2256 wrote to memory of 2672 2256 cmd.exe PING.EXE PID 2112 wrote to memory of 2612 2112 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe cmd.exe PID 2112 wrote to memory of 2612 2112 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe cmd.exe PID 2112 wrote to memory of 2612 2112 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe cmd.exe PID 2112 wrote to memory of 2612 2112 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe cmd.exe PID 2612 wrote to memory of 3044 2612 cmd.exe PING.EXE PID 2612 wrote to memory of 3044 2612 cmd.exe PING.EXE PID 2612 wrote to memory of 3044 2612 cmd.exe PING.EXE PID 2612 wrote to memory of 3044 2612 cmd.exe PING.EXE PID 2256 wrote to memory of 2596 2256 cmd.exe reg.exe PID 2256 wrote to memory of 2596 2256 cmd.exe reg.exe PID 2256 wrote to memory of 2596 2256 cmd.exe reg.exe PID 2256 wrote to memory of 2596 2256 cmd.exe reg.exe PID 2612 wrote to memory of 2504 2612 cmd.exe PING.EXE PID 2612 wrote to memory of 2504 2612 cmd.exe PING.EXE PID 2612 wrote to memory of 2504 2612 cmd.exe PING.EXE PID 2612 wrote to memory of 2504 2612 cmd.exe PING.EXE PID 2612 wrote to memory of 1036 2612 cmd.exe bets.exe PID 2612 wrote to memory of 1036 2612 cmd.exe bets.exe PID 2612 wrote to memory of 1036 2612 cmd.exe bets.exe PID 2612 wrote to memory of 1036 2612 cmd.exe bets.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe"C:\Users\Admin\AppData\Local\Temp\35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bets" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bets.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 103⤵
- Runs ping.exe
PID:2672 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bets" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bets.exe"3⤵
- Adds Run key to start application
PID:2596 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 19 > nul && copy "C:\Users\Admin\AppData\Local\Temp\35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe" "C:\Users\Admin\AppData\Roaming\bets.exe" && ping 127.0.0.1 -n 19 > nul && "C:\Users\Admin\AppData\Roaming\bets.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 193⤵
- Runs ping.exe
PID:3044 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 193⤵
- Runs ping.exe
PID:2504 -
C:\Users\Admin\AppData\Roaming\bets.exe"C:\Users\Admin\AppData\Roaming\bets.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
832KB
MD5624287a4c65dc15c11448ab9a18b197d
SHA1985e68377849c429f8408863ae67850827cf7fa0
SHA25635d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040
SHA512ae16afa727451cb17795d83b74eec5c1f84681852eedd5970306837ec41cba4f6c881c130215e478d53aa87e3b310bb9854d000008e5dd69c7d60f3b5a5c7a66