Analysis
-
max time kernel
142s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 17:22
Static task
static1
Behavioral task
behavioral1
Sample
1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe
Resource
win10v2004-20240508-en
General
-
Target
1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe
-
Size
13.3MB
-
MD5
e4f4ba61119d6c8144c72ccd612d34c1
-
SHA1
c4f937e301e219e9abe11d1b88990e88317d8a77
-
SHA256
1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8
-
SHA512
7d745adaca21351d83f61de48bc72c7f1c0a45d0641bfd4dc9274f76cf1f511553ffd5545392518e5df99a58fad16150f75a652f10fdb7fd4c7cb95ecd162afc
-
SSDEEP
196608:z89duCvh7pQoXhQET1AIxGJYJbaogx2gsgggggjxl95:Ouy7p7XhN5aaHgYgdxb
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2944 1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe 2944 1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe 3468 1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe 3468 1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Fonts\font_temp.ttf 1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe File opened for modification C:\Windows\Fonts\font_temp.ttf 1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4768 PING.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2944 1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe 2944 1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe 3468 1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe 3468 1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2944 wrote to memory of 228 2944 1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe 81 PID 2944 wrote to memory of 228 2944 1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe 81 PID 2944 wrote to memory of 228 2944 1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe 81 PID 228 wrote to memory of 4768 228 cmd.exe 83 PID 228 wrote to memory of 4768 228 cmd.exe 83 PID 228 wrote to memory of 4768 228 cmd.exe 83 PID 228 wrote to memory of 3468 228 cmd.exe 84 PID 228 wrote to memory of 3468 228 cmd.exe 84 PID 228 wrote to memory of 3468 228 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe"C:\Users\Admin\AppData\Local\Temp\1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Restart.bat2⤵
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:4768
-
-
C:\Users\Admin\AppData\Local\Temp\1a7dafe3ba889fc094ee5de905d6f3da99e15ff0842226b960c9784f6e8cedf8.exe"C:\Users\Admin\AppData\Local\Temp\1A7DAF~1.EXE"3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3468
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5a1df3b7884c175c967505a589ba51da2
SHA17aaf570e41a00149134973d00f4efc09c4b650c2
SHA256c16014329cf6f242a525f6782dd10f6a4d0ff6f97239710fdc45522f5c6da525
SHA51212b8bd05fd9bec79d643edb503634b8b5238c67c77ddd8d2c3220406c08b1e6197e8aff02c709e353bc4ce9353a6709837b81ca443660250d94e73c00d66f451
-
Filesize
113B
MD5316c6b80b5f194e580d3770d19cffbc7
SHA1c87edf4ad995d5b21f1774129da51bfc459fff55
SHA2564462700d9d1b8bda0b5cc51f8307628ed9276a0bf9ef28a0bd81803ca32cb521
SHA5126061bd6899c3bf3fd5e26313123c25ecbf33e5b5aa11f09c2af71d4f570e5ef9107aab5795b19dfe3121cae6b0c09b38fe31333d4a45964070e23619cdf6ef89
-
Filesize
333KB
MD556a2bcecbd3cddd6f4a35361bf4920d6
SHA1992e63be423f0e61093ba183f49fc0cbec790488
SHA2565fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab
SHA512473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551
-
Filesize
8.0MB
MD5092a99ee52bbaef7481cc96c5b85b992
SHA106b8475f99605af9ff9ff3ed1d0eb907fd57c06b
SHA256b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d
SHA5123538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf