Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 08:19
Static task
static1
Behavioral task
behavioral1
Sample
738f8ff0be714849c43abd204ffb6930N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
738f8ff0be714849c43abd204ffb6930N.exe
Resource
win10v2004-20240709-en
General
-
Target
738f8ff0be714849c43abd204ffb6930N.exe
-
Size
1.7MB
-
MD5
738f8ff0be714849c43abd204ffb6930
-
SHA1
620dbbdc7822ff6f8c3a07aa11a4de5f4161b23f
-
SHA256
f0f1f9051a5a082efdbf1b1c3532d52944dc1fd2f83ee2113df12c94a409557e
-
SHA512
be91f0882c312947933798e7791294833b6be553a0e36cb636df43d7bf8ca426b9474a978b81992f83ee38cc2ff67592fc8714a9bc777cc94aeee31074f1889a
-
SSDEEP
24576:OXdVtTj2i64T+jdxQCfgOFD3WSwd2QtBBw6xxhVxQtmibjOhZaiRu/4oMaop0UNU:mbTChxKCnFnQXBbrtgb/iQvu0UHOB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2488 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1716 WdExt.exe -
Loads dropped DLL 4 IoCs
pid Process 1700 738f8ff0be714849c43abd204ffb6930N.exe 1008 cmd.exe 1008 cmd.exe 1716 WdExt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1700 738f8ff0be714849c43abd204ffb6930N.exe 1716 WdExt.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1700 wrote to memory of 1008 1700 738f8ff0be714849c43abd204ffb6930N.exe 30 PID 1700 wrote to memory of 1008 1700 738f8ff0be714849c43abd204ffb6930N.exe 30 PID 1700 wrote to memory of 1008 1700 738f8ff0be714849c43abd204ffb6930N.exe 30 PID 1700 wrote to memory of 1008 1700 738f8ff0be714849c43abd204ffb6930N.exe 30 PID 1700 wrote to memory of 2488 1700 738f8ff0be714849c43abd204ffb6930N.exe 32 PID 1700 wrote to memory of 2488 1700 738f8ff0be714849c43abd204ffb6930N.exe 32 PID 1700 wrote to memory of 2488 1700 738f8ff0be714849c43abd204ffb6930N.exe 32 PID 1700 wrote to memory of 2488 1700 738f8ff0be714849c43abd204ffb6930N.exe 32 PID 1008 wrote to memory of 1716 1008 cmd.exe 34 PID 1008 wrote to memory of 1716 1008 cmd.exe 34 PID 1008 wrote to memory of 1716 1008 cmd.exe 34 PID 1008 wrote to memory of 1716 1008 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\738f8ff0be714849c43abd204ffb6930N.exe"C:\Users\Admin\AppData\Local\Temp\738f8ff0be714849c43abd204ffb6930N.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1716
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "2⤵
- Deletes itself
PID:2488
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5738f8ff0be714849c43abd204ffb6930
SHA1620dbbdc7822ff6f8c3a07aa11a4de5f4161b23f
SHA256f0f1f9051a5a082efdbf1b1c3532d52944dc1fd2f83ee2113df12c94a409557e
SHA512be91f0882c312947933798e7791294833b6be553a0e36cb636df43d7bf8ca426b9474a978b81992f83ee38cc2ff67592fc8714a9bc777cc94aeee31074f1889a
-
Filesize
129B
MD5d1073c9b34d1bbd570928734aacff6a5
SHA178714e24e88d50e0da8da9d303bec65b2ee6d903
SHA256b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020
SHA5124f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f
-
Filesize
240B
MD55e2d3807a8adbab06f78ee47904c5917
SHA1f4e56edafaf7697356ede9be1b03bf96ea8b9e9f
SHA256cb8b4c6bc83d239177e3b86aa6be8429c66cc8f649ba57ca3ce97bcd5273bde9
SHA51295df29a093970ffdebbc7146ff9f94246da4d531d8f640cb00a3ccce203b584d251d4847369aff681977b75b129275ba589efb6202ece181c9c0a56feb579739
-
Filesize
202KB
MD5684c111c78f8bf6fcb5575d400e7669c
SHA1d587894c0beffdff00ae6d358a5463ef18bcb485
SHA256080fb4cd0b92884c89efab9161685f3ba0666cd9dab8de6c752bfe35e4e45716
SHA512bcf748d21be502d7346f56ffc9ef13f3394d46c679d7cf17289d007e91b4ead2ec4035b3ccd5626eb378958cbb6ac371edfde8319433db9b709694595ae53e4f
-
Filesize
1.7MB
MD5d26d758152eba50727f33b8604f69794
SHA1e6e0fb0b5f5bb9b2ade478b36efef0c2582fde08
SHA2566e5528c19ce62877d40550bdac36d8b23d276a62bf0d1ff62e6d079058c3f386
SHA512323a7af8eb29971eea900906f2d513380c6c0492bb7ae8c91c12f989021be8b6fd9530e3d9a9efaa9abc2dbe7eb111c580e31b22fbb4b643e1470acb814414e4
-
Filesize
202KB
MD57ff15a4f092cd4a96055ba69f903e3e9
SHA1a3d338a38c2b92f95129814973f59446668402a8
SHA2561b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627
SHA5124b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae