Analysis

  • max time kernel
    16s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2024 08:19

General

  • Target

    738f8ff0be714849c43abd204ffb6930N.exe

  • Size

    1.7MB

  • MD5

    738f8ff0be714849c43abd204ffb6930

  • SHA1

    620dbbdc7822ff6f8c3a07aa11a4de5f4161b23f

  • SHA256

    f0f1f9051a5a082efdbf1b1c3532d52944dc1fd2f83ee2113df12c94a409557e

  • SHA512

    be91f0882c312947933798e7791294833b6be553a0e36cb636df43d7bf8ca426b9474a978b81992f83ee38cc2ff67592fc8714a9bc777cc94aeee31074f1889a

  • SSDEEP

    24576:OXdVtTj2i64T+jdxQCfgOFD3WSwd2QtBBw6xxhVxQtmibjOhZaiRu/4oMaop0UNU:mbTChxKCnFnQXBbrtgb/iQvu0UHOB

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\738f8ff0be714849c43abd204ffb6930N.exe
    "C:\Users\Admin\AppData\Local\Temp\738f8ff0be714849c43abd204ffb6930N.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1008
      • C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:1716
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
      2⤵
      • Deletes itself
      PID:2488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

    Filesize

    1.7MB

    MD5

    738f8ff0be714849c43abd204ffb6930

    SHA1

    620dbbdc7822ff6f8c3a07aa11a4de5f4161b23f

    SHA256

    f0f1f9051a5a082efdbf1b1c3532d52944dc1fd2f83ee2113df12c94a409557e

    SHA512

    be91f0882c312947933798e7791294833b6be553a0e36cb636df43d7bf8ca426b9474a978b81992f83ee38cc2ff67592fc8714a9bc777cc94aeee31074f1889a

  • C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

    Filesize

    129B

    MD5

    d1073c9b34d1bbd570928734aacff6a5

    SHA1

    78714e24e88d50e0da8da9d303bec65b2ee6d903

    SHA256

    b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

    SHA512

    4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

  • C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

    Filesize

    240B

    MD5

    5e2d3807a8adbab06f78ee47904c5917

    SHA1

    f4e56edafaf7697356ede9be1b03bf96ea8b9e9f

    SHA256

    cb8b4c6bc83d239177e3b86aa6be8429c66cc8f649ba57ca3ce97bcd5273bde9

    SHA512

    95df29a093970ffdebbc7146ff9f94246da4d531d8f640cb00a3ccce203b584d251d4847369aff681977b75b129275ba589efb6202ece181c9c0a56feb579739

  • C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

    Filesize

    202KB

    MD5

    684c111c78f8bf6fcb5575d400e7669c

    SHA1

    d587894c0beffdff00ae6d358a5463ef18bcb485

    SHA256

    080fb4cd0b92884c89efab9161685f3ba0666cd9dab8de6c752bfe35e4e45716

    SHA512

    bcf748d21be502d7346f56ffc9ef13f3394d46c679d7cf17289d007e91b4ead2ec4035b3ccd5626eb378958cbb6ac371edfde8319433db9b709694595ae53e4f

  • \Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

    Filesize

    1.7MB

    MD5

    d26d758152eba50727f33b8604f69794

    SHA1

    e6e0fb0b5f5bb9b2ade478b36efef0c2582fde08

    SHA256

    6e5528c19ce62877d40550bdac36d8b23d276a62bf0d1ff62e6d079058c3f386

    SHA512

    323a7af8eb29971eea900906f2d513380c6c0492bb7ae8c91c12f989021be8b6fd9530e3d9a9efaa9abc2dbe7eb111c580e31b22fbb4b643e1470acb814414e4

  • \Users\Admin\AppData\Roaming\Temp\mydll.dll

    Filesize

    202KB

    MD5

    7ff15a4f092cd4a96055ba69f903e3e9

    SHA1

    a3d338a38c2b92f95129814973f59446668402a8

    SHA256

    1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

    SHA512

    4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

  • memory/1700-0-0x0000000010000000-0x0000000010015000-memory.dmp

    Filesize

    84KB