Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 01:06
Static task
static1
Behavioral task
behavioral1
Sample
24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe
Resource
win10v2004-20240508-en
General
-
Target
24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe
-
Size
4.5MB
-
MD5
116fe2b909ecbd566b0ace44a9eea180
-
SHA1
c5266a67ba49645aca4b70a9a84047041629bac8
-
SHA256
24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb
-
SHA512
0421a7638dca2eec5bbcffd45c9de2fea4235779d506f51d252123e5135e7355b19bf254186e785554c71c82864bcb54f42a3a2aa3a0835560081238c743e894
-
SSDEEP
98304:EAjGEaI6o/bPLge0Vgu0AqN3u37HmKam/BivHcjvUB:ky6GjLgnNGN3u3qKakBwHcg
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 4 IoCs
resource yara_rule behavioral1/memory/2276-5-0x0000000000400000-0x0000000000B70000-memory.dmp UPX behavioral1/memory/2276-8-0x0000000000400000-0x0000000000B70000-memory.dmp UPX behavioral1/memory/2276-668-0x0000000000400000-0x0000000000B70000-memory.dmp UPX behavioral1/memory/2276-669-0x0000000000400000-0x0000000000B70000-memory.dmp UPX -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2072 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2712 2276 WerFault.exe 27 -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Appearance\Schemes rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Appearance\Schemes rundll32.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2664 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 28 PID 2276 wrote to memory of 2664 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 28 PID 2276 wrote to memory of 2664 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 28 PID 2276 wrote to memory of 2664 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 28 PID 2664 wrote to memory of 2072 2664 cmd.exe 30 PID 2664 wrote to memory of 2072 2664 cmd.exe 30 PID 2664 wrote to memory of 2072 2664 cmd.exe 30 PID 2664 wrote to memory of 2072 2664 cmd.exe 30 PID 2276 wrote to memory of 2572 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 31 PID 2276 wrote to memory of 2572 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 31 PID 2276 wrote to memory of 2572 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 31 PID 2276 wrote to memory of 2572 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 31 PID 2572 wrote to memory of 2812 2572 cmd.exe 33 PID 2572 wrote to memory of 2812 2572 cmd.exe 33 PID 2572 wrote to memory of 2812 2572 cmd.exe 33 PID 2572 wrote to memory of 2812 2572 cmd.exe 33 PID 2812 wrote to memory of 2532 2812 net.exe 34 PID 2812 wrote to memory of 2532 2812 net.exe 34 PID 2812 wrote to memory of 2532 2812 net.exe 34 PID 2812 wrote to memory of 2532 2812 net.exe 34 PID 2276 wrote to memory of 2504 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 35 PID 2276 wrote to memory of 2504 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 35 PID 2276 wrote to memory of 2504 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 35 PID 2276 wrote to memory of 2504 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 35 PID 2504 wrote to memory of 2512 2504 cmd.exe 37 PID 2504 wrote to memory of 2512 2504 cmd.exe 37 PID 2504 wrote to memory of 2512 2504 cmd.exe 37 PID 2504 wrote to memory of 2512 2504 cmd.exe 37 PID 2512 wrote to memory of 2384 2512 net.exe 38 PID 2512 wrote to memory of 2384 2512 net.exe 38 PID 2512 wrote to memory of 2384 2512 net.exe 38 PID 2512 wrote to memory of 2384 2512 net.exe 38 PID 2276 wrote to memory of 2400 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 40 PID 2276 wrote to memory of 2400 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 40 PID 2276 wrote to memory of 2400 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 40 PID 2276 wrote to memory of 2400 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 40 PID 2276 wrote to memory of 2400 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 40 PID 2276 wrote to memory of 2400 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 40 PID 2276 wrote to memory of 2400 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 40 PID 2276 wrote to memory of 2784 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 44 PID 2276 wrote to memory of 2784 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 44 PID 2276 wrote to memory of 2784 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 44 PID 2276 wrote to memory of 2784 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 44 PID 2784 wrote to memory of 2620 2784 cmd.exe 46 PID 2784 wrote to memory of 2620 2784 cmd.exe 46 PID 2784 wrote to memory of 2620 2784 cmd.exe 46 PID 2784 wrote to memory of 2620 2784 cmd.exe 46 PID 2620 wrote to memory of 2572 2620 net.exe 47 PID 2620 wrote to memory of 2572 2620 net.exe 47 PID 2620 wrote to memory of 2572 2620 net.exe 47 PID 2620 wrote to memory of 2572 2620 net.exe 47 PID 2276 wrote to memory of 2028 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 48 PID 2276 wrote to memory of 2028 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 48 PID 2276 wrote to memory of 2028 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 48 PID 2276 wrote to memory of 2028 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 48 PID 2028 wrote to memory of 2800 2028 cmd.exe 50 PID 2028 wrote to memory of 2800 2028 cmd.exe 50 PID 2028 wrote to memory of 2800 2028 cmd.exe 50 PID 2028 wrote to memory of 2800 2028 cmd.exe 50 PID 2800 wrote to memory of 2548 2800 net.exe 51 PID 2800 wrote to memory of 2548 2800 net.exe 51 PID 2800 wrote to memory of 2548 2800 net.exe 51 PID 2800 wrote to memory of 2548 2800 net.exe 51 PID 2276 wrote to memory of 2436 2276 24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe"C:\Users\Admin\AppData\Local\Temp\24973e8808c205b7761b5b468df343b1826c6c339e66e5661103a42632aa0dbb.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\cmd.execmd /c sc config "UxSms" start= demand2⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\sc.exesc config "UxSms" start= demand3⤵
- Launches sc.exe
PID:2072
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Desktop Window Manager Session Manager"2⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\net.exenet stop "Desktop Window Manager Session Manager"3⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"4⤵PID:2532
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start "Desktop Window Manager Session Manager"2⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\net.exenet start "Desktop Window Manager Session Manager"3⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Desktop Window Manager Session Manager"4⤵PID:2384
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"2⤵
- Modifies Control Panel
PID:2400
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Desktop Window Manager Session Manager"2⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\net.exenet stop "Desktop Window Manager Session Manager"3⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"4⤵PID:2572
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start "Desktop Window Manager Session Manager"2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\net.exenet start "Desktop Window Manager Session Manager"3⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Desktop Window Manager Session Manager"4⤵PID:2548
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"2⤵
- Modifies Control Panel
PID:2436
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Desktop Window Manager Session Manager"2⤵PID:2036
-
C:\Windows\SysWOW64\net.exenet stop "Desktop Window Manager Session Manager"3⤵PID:1908
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"4⤵PID:2608
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start "Desktop Window Manager Session Manager"2⤵PID:2604
-
C:\Windows\SysWOW64\net.exenet start "Desktop Window Manager Session Manager"3⤵PID:2056
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Desktop Window Manager Session Manager"4⤵PID:2740
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 2562⤵
- Program crash
PID:2712
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:2496
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:804
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:2492
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:2768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5020570a88c0692f7f3d1d42379058765
SHA1bef5e581e4c7ef4f171c165911145dca9c68287e
SHA25616efc91532dc5d3d151ce5bdb882e6831d562a54bf8592c31052159ce929cddb
SHA5121f47d19f8f2dc77e7ab9fa12b096bb41600f84b67cc22fd41886b9a759c32c3565db23a1dfe039a1d376ffe7d510b3603f0acc5df14886d254235329e074ef9e
-
Filesize
1KB
MD529e0e345438882a935d2c0baff457f6c
SHA1aef4d88c8c81bc9d9440e1f94f792f6ab83e2b5a
SHA2560c127592f7670047d0b1928fede6ecf7c827b9e8086500b23756e5c02d09a4c6
SHA5128b87df27f7edc9328debeb3a0f68468d1d46615122e815d03330a9682776f85a47ef37889fc210fb28e56d91bf8cf0f0e594f90c3eaff5827dfd57b97a0b359b
-
Filesize
1KB
MD5159bd6a587f370f16522b2a6f690bcc3
SHA1c07d14fc439997e2f65b982c0702a985b36b9cf8
SHA2569193c9b28f4e19c5fbd00340dce578825fbc6ce6ab67b1c9082c0d8f64446993
SHA512a1ddc058193d778b3935ef8f158bb06f014de72124d5561a4d7af99e77921bcfe5ffcb24a1375917d5e438e0f2a1dccb96c1bdc2fa5b6aaf75ca5cabe1788e46
-
Filesize
1KB
MD5d835de730c2496708378bf3dce10892e
SHA1591faf986469a03f8d46f5b53a3ebf1eaa67a1c7
SHA2562157e9cd768423a4c6a6532cc34fa1b40e9766ee41dad15a7266474c57095bc1
SHA512a97e55f7196ffab77e1301884908008cd3c0b10fdf4aa48b120060cb26f911f90a3a0a424e38998974aa874776d7442ba8fdce7128fbbddac5e3fce6c3c7ecc8
-
Filesize
1KB
MD505471356f0ea1c0f5f5b8deb29c3ebd1
SHA112b14b737d1e0f76ca2494fb7a6841e5792a0504
SHA256cf59479c75a8803468dd2a2c1d2803a2694c41992d5a0b3b65b1c69c28d1eac7
SHA512942285259612792c2b3a45a65483e0775314841e397e815d447fd8f69f63f5de1ac48653a051c0121bd73415655c468772d39ce72bb1ba3d8ae367f78143502b
-
Filesize
1KB
MD5b65aeb1b3da0b96313cc6e10dde4afe0
SHA134039989280d6d5a45793deaab79665c79b74b8d
SHA2560254d776e25aeb83f195aacc7d477cd37683932586b27fdb7f09836d08296a3c
SHA512be5c22848ee3491061feaab9c8e708e04e5d34bc0d8b46e816e059e6616c0114cfe5f40aee935f9d5dee546a990efa3bca00bdec03bcc29fedad37d0dbda95ea