9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe
Size

176KB
MD5

6e7e7b5cafd9ea6f56aba08607200a2f
SHA1

6c3fc039dfe8fad4afa788ffd1baf71b509eaf2d
SHA256

9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab
SHA512

495e90b08cec9b9361d4eca173a60973f9e9194a8412afe0073a26c19c672d9e6c73edcdc60487c9c1b4ac9c89ca71a4b3f7d0402358217f39d606a937176abd
SSDEEP

3072:C9E4Wgbr57BVFqmx1E9Hqmz674Qbf6xET/nhqCoNWDY1TuDBujfgY1LRQBAhHuYK:40MJBVlx+Vf274Q2xqhxoNH1Ti5YtuY

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2576	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2836	dcomiles.exe
2788	~3276.tmp
2596	DispltMC.exe

Loads dropped DLL 3 IoCs

pid	Process
2764	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe
2764	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe
2836	dcomiles.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\comp_ssp = "C:\\Users\\Admin\\AppData\\Roaming\\bthufmon\\dcomiles.exe"	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DispltMC.exe	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2836	dcomiles.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE
2596	DispltMC.exe
1324	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2836	2764	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe	30
PID 2764 wrote to memory of 2836	2764	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe	30
PID 2764 wrote to memory of 2836	2764	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe	30
PID 2764 wrote to memory of 2836	2764	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe	30
PID 2836 wrote to memory of 2788	2836	dcomiles.exe	31
PID 2836 wrote to memory of 2788	2836	dcomiles.exe	31
PID 2836 wrote to memory of 2788	2836	dcomiles.exe	31
PID 2836 wrote to memory of 2788	2836	dcomiles.exe	31
PID 2788 wrote to memory of 1324	2788	~3276.tmp	21
PID 2764 wrote to memory of 2576	2764	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe	33
PID 2764 wrote to memory of 2576	2764	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe	33
PID 2764 wrote to memory of 2576	2764	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe	33
PID 2764 wrote to memory of 2576	2764	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe	33
PID 2576 wrote to memory of 1744	2576	cmd.exe	35
PID 2576 wrote to memory of 1744	2576	cmd.exe	35
PID 2576 wrote to memory of 1744	2576	cmd.exe	35
PID 2576 wrote to memory of 1744	2576	cmd.exe	35

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1744	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1324
- C:\Users\Admin\AppData\Local\Temp\9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe
  "C:\Users\Admin\AppData\Local\Temp\9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Roaming\bthufmon\dcomiles.exe
    "C:\Users\Admin\AppData\Roaming\bthufmon\dcomiles.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\~3276.tmp
      "C:\Users\Admin\AppData\Local\Temp\~3276.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    /C 259470098.cmd
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe"
      4⤵
      Views/modifies file attributes
      PID:1744

C:\Windows\SysWOW64\DispltMC.exe
C:\Windows\SysWOW64\DispltMC.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259470098.cmd

Filesize
291B

MD5
37306281e6c55ed53fd6e1611063bbf4

SHA1
1d95b943e58a4657da8878429e16cc1ab669afb9

SHA256
5504a823e0c3906b982a0d6cd79458260d10d81336ad1f2b843c5f49f3a3ba52

SHA512
9f98b602d1691a025ef5bf5999ce755a7b6745e4129125f42e2883f8b35aaf737e22d6dc4b67d868ff948e3a1a449907186792cea458bc03424a05201c92e125

Download Submit
C:\Windows\SysWOW64\DispltMC.exe

Filesize
176KB

MD5
6e7e7b5cafd9ea6f56aba08607200a2f

SHA1
6c3fc039dfe8fad4afa788ffd1baf71b509eaf2d

SHA256
9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab

SHA512
495e90b08cec9b9361d4eca173a60973f9e9194a8412afe0073a26c19c672d9e6c73edcdc60487c9c1b4ac9c89ca71a4b3f7d0402358217f39d606a937176abd

Download Submit
\Users\Admin\AppData\Local\Temp\~3276.tmp

Filesize
6KB

MD5
8452126ada63e57f5ae2bdf60551a0a5

SHA1
3da08606ba93bf1189caeba5f89ec41e21946d68

SHA256
50413e40ec806ce9b1e5e0411505ed2d742b30a9e8c77295af6f0863c60b32c3

SHA512
75d6607b066a036ad61200387683dde94fbebcbdf047600ab6479224b9ac49f6b793cb3e4197f3343ccfd6a66ba6623d9d73a96674f4cf9589ba55249c543595

Download Submit
\Users\Admin\AppData\Roaming\bthufmon\dcomiles.exe

Filesize
176KB

MD5
4afad48c537af54d004e6dd452c66a9f

SHA1
1a982ce341fe419dde1507c1551ced74ae584b82

SHA256
c115add04346c28e1d87327d4de90951cc8e5e015513428b03b3a409a9523558

SHA512
17978e91033453e5bdf8077c9641e5e4bf5496622ecc412ad149dd4f6b91635593f519901c64c2fe2697e57af56d657d0e17e1ef54f742cbb2008996ffaa72c0

Download Submit
memory/1324-17-0x0000000002490000-0x00000000024D3000-memory.dmp

Filesize
268KB

Download
memory/1324-16-0x0000000002490000-0x00000000024D3000-memory.dmp

Filesize
268KB

Download
memory/1324-19-0x0000000002490000-0x00000000024D3000-memory.dmp

Filesize
268KB

Download
memory/2596-26-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2596-29-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2596-28-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2764-0-0x0000000000070000-0x00000000000B0000-memory.dmp

Filesize
256KB

Download
memory/2836-11-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download