Analysis
-
max time kernel
140s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 01:51
Static task
static1
Behavioral task
behavioral1
Sample
9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe
Resource
win10v2004-20240226-en
General
-
Target
9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe
-
Size
46KB
-
MD5
1d94b9a477d019a4bfd3c388304e62ad
-
SHA1
7c86b4e3a4d24e01ecb13c67fc2097225882f0e5
-
SHA256
9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616
-
SHA512
90906a69622e95b4e4c975905488a4f73bce969cd555fe401e625e29d461c897a76114a0a2e58339c60de27b58c0aacf5e99aefb182722c48ed13ae66b7b0cda
-
SSDEEP
768:keLI9Sqhu9+8tuGKXGRRkwbRlgcXQVQWjSs1tZ8pdNmLUrcrsANsdM5T233U8:NLI4qg9+Q/KMJqSsGpdNmLUIsWsdM5Tq
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1448 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
evdhost.exepid process 1840 evdhost.exe -
Processes:
resource yara_rule behavioral1/memory/2176-0-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral1/memory/2176-5-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral1/memory/1840-11-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral1/memory/1840-12-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral1/memory/1840-14-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral1/memory/1840-16-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral1/memory/1840-17-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral1/memory/1840-19-0x0000000010000000-0x000000001000E000-memory.dmp upx behavioral1/memory/1840-21-0x0000000010000000-0x000000001000E000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
Processes:
9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exedescription ioc process File created C:\Windows\Debug\evdhost.exe 9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe File opened for modification C:\Windows\Debug\evdhost.exe 9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
evdhost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 evdhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz evdhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exedescription pid process Token: SeIncBasePriorityPrivilege 2176 9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exedescription pid process target process PID 2176 wrote to memory of 1448 2176 9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe cmd.exe PID 2176 wrote to memory of 1448 2176 9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe cmd.exe PID 2176 wrote to memory of 1448 2176 9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe cmd.exe PID 2176 wrote to memory of 1448 2176 9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe"C:\Users\Admin\AppData\Local\Temp\9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9C658D~1.EXE > nul2⤵
- Deletes itself
PID:1448
-
-
C:\Windows\Debug\evdhost.exeC:\Windows\Debug\evdhost.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD5b86e4f5991c54837a94e797d8baf42df
SHA111a148059b0899ea423a9452dbc55e75cdf37c4c
SHA256b89a9d8dc5c408bd725bd34e979c8d94e5dd20712e22db07396199dee6f706b8
SHA512cf65ca266aefd5058ba9bb879f05309eee744d939af40f23fa51b1ec71ef1b4024d84cd9a9330a99db897fb0dd71789dbedd736c6b66710bbb69affbd6040ba9