9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe
Size

176KB
MD5

6e7e7b5cafd9ea6f56aba08607200a2f
SHA1

6c3fc039dfe8fad4afa788ffd1baf71b509eaf2d
SHA256

9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab
SHA512

495e90b08cec9b9361d4eca173a60973f9e9194a8412afe0073a26c19c672d9e6c73edcdc60487c9c1b4ac9c89ca71a4b3f7d0402358217f39d606a937176abd
SSDEEP

3072:C9E4Wgbr57BVFqmx1E9Hqmz674Qbf6xET/nhqCoNWDY1TuDBujfgY1LRQBAhHuYK:40MJBVlx+Vf274Q2xqhxoNH1Ti5YtuY

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3440	iexpll32.exe
1860	certmmc.exe
3212	~9710.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sckill = "C:\\Users\\Admin\\AppData\\Roaming\\DpiShost\\iexpll32.exe"	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\certmmc.exe	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3440	iexpll32.exe
3440	iexpll32.exe
3456	Explorer.EXE
3456	Explorer.EXE
1860	certmmc.exe
1860	certmmc.exe
3456	Explorer.EXE
3456	Explorer.EXE
1860	certmmc.exe
1860	certmmc.exe
3456	Explorer.EXE
3456	Explorer.EXE
1860	certmmc.exe
1860	certmmc.exe
3456	Explorer.EXE
3456	Explorer.EXE
1860	certmmc.exe
1860	certmmc.exe
3456	Explorer.EXE
3456	Explorer.EXE
1860	certmmc.exe
1860	certmmc.exe
3456	Explorer.EXE
3456	Explorer.EXE
1860	certmmc.exe
1860	certmmc.exe
3456	Explorer.EXE
3456	Explorer.EXE
1860	certmmc.exe
1860	certmmc.exe
3456	Explorer.EXE
3456	Explorer.EXE
1860	certmmc.exe
1860	certmmc.exe
3456	Explorer.EXE
3456	Explorer.EXE
1860	certmmc.exe
1860	certmmc.exe
3456	Explorer.EXE
3456	Explorer.EXE
1860	certmmc.exe
1860	certmmc.exe
3456	Explorer.EXE
3456	Explorer.EXE
1860	certmmc.exe
1860	certmmc.exe
3456	Explorer.EXE
3456	Explorer.EXE
1860	certmmc.exe
1860	certmmc.exe
3456	Explorer.EXE
3456	Explorer.EXE
1860	certmmc.exe
1860	certmmc.exe
3456	Explorer.EXE
3456	Explorer.EXE
1860	certmmc.exe
1860	certmmc.exe
3456	Explorer.EXE
3456	Explorer.EXE
1860	certmmc.exe
1860	certmmc.exe
3456	Explorer.EXE
3456	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 3440	4824	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe	80
PID 4824 wrote to memory of 3440	4824	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe	80
PID 4824 wrote to memory of 3440	4824	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe	80
PID 3440 wrote to memory of 3212	3440	iexpll32.exe	82
PID 3440 wrote to memory of 3212	3440	iexpll32.exe	82
PID 3212 wrote to memory of 3456	3212	~9710.tmp	56
PID 4824 wrote to memory of 1280	4824	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe	83
PID 4824 wrote to memory of 1280	4824	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe	83
PID 4824 wrote to memory of 1280	4824	9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe	83
PID 1280 wrote to memory of 2748	1280	cmd.exe	85
PID 1280 wrote to memory of 2748	1280	cmd.exe	85
PID 1280 wrote to memory of 2748	1280	cmd.exe	85

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2748	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3456
- C:\Users\Admin\AppData\Local\Temp\9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe
  "C:\Users\Admin\AppData\Local\Temp\9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Users\Admin\AppData\Roaming\DpiShost\iexpll32.exe
    "C:\Users\Admin\AppData\Roaming\DpiShost\iexpll32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Users\Admin\AppData\Local\Temp\~9710.tmp
      "C:\Users\Admin\AppData\Local\Temp\~9710.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    /C 240621468.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab.exe"
      4⤵
      Views/modifies file attributes
      PID:2748

C:\Windows\SysWOW64\certmmc.exe
C:\Windows\SysWOW64\certmmc.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240621468.cmd

Filesize
291B

MD5
205c6399bce874142fddaa15444968fd

SHA1
972524928d9360144b1c6f0ba719f2713ed6303e

SHA256
755914d077d603d9695a995adbef15495ca8328ecdecc83a050a0a9e6efc8fc7

SHA512
30aee06ccc0f2f8d3e04cfcb339e42f56f7825f81afceb1af22c3adc5b160c3413f9c00ea902b9097ea25e120dc358aeb45340f30d7e9b1441465b7c53ea7f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\~9710.tmp

Filesize
6KB

MD5
082db8b9af2278e26948d88ba9e5503c

SHA1
1a00b080c9d1cecf45ab6aba09f5f6a5e36f606c

SHA256
12c569bebb52fa1321abef50b79fc9ce4a88b4861bc202fc6e3083c5bce77b93

SHA512
2f42bbccb3f599da1c494a64efb7642b3c1fc111c5c21dded585fac91508a6b558099f70dc99bb463d5a3c41a3a7aefded02b946eee7622e2c2dd005db5a73e7

Download Submit
C:\Users\Admin\AppData\Roaming\DpiShost\iexpll32.exe

Filesize
176KB

MD5
7934d6a72ce359ab08a0de26fa6f5567

SHA1
b9986a165d9b2e4e9ff963857e53290365e7e27f

SHA256
2461869fc0c2eca91a42322194709e6ae85f2a7f6cd2f4bcedd5094863b0c712

SHA512
0ddfc609256f319c37ceca4dde0d3327a6819808d01dd966a6873accb1f8355308f9a9b6656ef3cc1a8264d984227119a1655f16e44f383774f7638c7b8bdcbd

Download Submit
C:\Windows\SysWOW64\certmmc.exe

Filesize
176KB

MD5
6e7e7b5cafd9ea6f56aba08607200a2f

SHA1
6c3fc039dfe8fad4afa788ffd1baf71b509eaf2d

SHA256
9d714855751945b91b740169675a9b07483eaf91e9e63e1e442e2d55ee9d9eab

SHA512
495e90b08cec9b9361d4eca173a60973f9e9194a8412afe0073a26c19c672d9e6c73edcdc60487c9c1b4ac9c89ca71a4b3f7d0402358217f39d606a937176abd

Download Submit
memory/1860-19-0x0000000001300000-0x0000000001340000-memory.dmp

Filesize
256KB

Download
memory/1860-20-0x0000000001300000-0x0000000001340000-memory.dmp

Filesize
256KB

Download
memory/1860-22-0x0000000001300000-0x0000000001340000-memory.dmp

Filesize
256KB

Download
memory/3440-6-0x00000000008F0000-0x0000000000930000-memory.dmp

Filesize
256KB

Download
memory/3456-14-0x0000000002700000-0x0000000002743000-memory.dmp

Filesize
268KB

Download
memory/3456-13-0x0000000002700000-0x0000000002743000-memory.dmp

Filesize
268KB

Download
memory/4824-0-0x0000000000D70000-0x0000000000DB0000-memory.dmp

Filesize
256KB

Download