4f815996d78ae62a5425c217a52431acf4a0f4ae8cfce8197fd34932bb7a6180

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4705dbbbdbfe9bb44e6a832ff8146b60N.exe
Size

176KB
MD5

4705dbbbdbfe9bb44e6a832ff8146b60
SHA1

e4f8fb232bd6374cf669ccd6f5baf256a1b3278f
SHA256

4f815996d78ae62a5425c217a52431acf4a0f4ae8cfce8197fd34932bb7a6180
SHA512

5f1da98895c3fefb3875d829842ae3960561e743cc2e89c477c5b1e025807e8f35e6ac8733ff87e4022514605bba597d2077a7e88c8f83e4e59a5b1fa56c0734
SSDEEP

3072:u9E4Wgbr57BVFqmx1E9Hqmz674Qbf6xET/nhqCoNWDY1TuDBujfgY1LRQBAhHuYK:00MJBVlx+Vf274Q2xqhxoNH1Ti5YtuY

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2100	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2116	mtstrint.exe
2928	ddodtall.exe
2948	~87D5.tmp

Loads dropped DLL 3 IoCs

pid	Process
2052	4705dbbbdbfe9bb44e6a832ff8146b60N.exe
2052	4705dbbbdbfe9bb44e6a832ff8146b60N.exe
2116	mtstrint.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\drvi_ssp = "C:\\Users\\Admin\\AppData\\Roaming\\icsuPING\\mtstrint.exe"	4705dbbbdbfe9bb44e6a832ff8146b60N.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ddodtall.exe	4705dbbbdbfe9bb44e6a832ff8146b60N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	mtstrint.exe
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe
1268	Explorer.EXE
2928	ddodtall.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2116	2052	4705dbbbdbfe9bb44e6a832ff8146b60N.exe	30
PID 2052 wrote to memory of 2116	2052	4705dbbbdbfe9bb44e6a832ff8146b60N.exe	30
PID 2052 wrote to memory of 2116	2052	4705dbbbdbfe9bb44e6a832ff8146b60N.exe	30
PID 2052 wrote to memory of 2116	2052	4705dbbbdbfe9bb44e6a832ff8146b60N.exe	30
PID 2116 wrote to memory of 2948	2116	mtstrint.exe	32
PID 2116 wrote to memory of 2948	2116	mtstrint.exe	32
PID 2116 wrote to memory of 2948	2116	mtstrint.exe	32
PID 2116 wrote to memory of 2948	2116	mtstrint.exe	32
PID 2948 wrote to memory of 1268	2948	~87D5.tmp	21
PID 2052 wrote to memory of 2100	2052	4705dbbbdbfe9bb44e6a832ff8146b60N.exe	33
PID 2052 wrote to memory of 2100	2052	4705dbbbdbfe9bb44e6a832ff8146b60N.exe	33
PID 2052 wrote to memory of 2100	2052	4705dbbbdbfe9bb44e6a832ff8146b60N.exe	33
PID 2052 wrote to memory of 2100	2052	4705dbbbdbfe9bb44e6a832ff8146b60N.exe	33
PID 2100 wrote to memory of 2868	2100	cmd.exe	35
PID 2100 wrote to memory of 2868	2100	cmd.exe	35
PID 2100 wrote to memory of 2868	2100	cmd.exe	35
PID 2100 wrote to memory of 2868	2100	cmd.exe	35

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2868	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1268
- C:\Users\Admin\AppData\Local\Temp\4705dbbbdbfe9bb44e6a832ff8146b60N.exe
  "C:\Users\Admin\AppData\Local\Temp\4705dbbbdbfe9bb44e6a832ff8146b60N.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Users\Admin\AppData\Roaming\icsuPING\mtstrint.exe
    "C:\Users\Admin\AppData\Roaming\icsuPING\mtstrint.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\~87D5.tmp
      "C:\Users\Admin\AppData\Local\Temp\~87D5.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    /C 259491829.cmd
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "4705dbbbdbfe9bb44e6a832ff8146b60N.exe"
      4⤵
      Views/modifies file attributes
      PID:2868

C:\Windows\SysWOW64\ddodtall.exe
C:\Windows\SysWOW64\ddodtall.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259491829.cmd

Filesize
198B

MD5
debf6e2f7b5cc35fd727714ca5d60741

SHA1
76fd59ee27d720e41082a1bc914bccc92552228d

SHA256
f5baaf16699e9b7dbf324892956f9a996ea763d5101e46822902f0966ed2dcda

SHA512
414a3682c6c9c1d2f385cbcd48f3c90f170acc863b3ceddc6b887ce0dab40ae635a63b21e5540f3be1daae3633991bcbce5fa6aa049582382b612fdf92b3116a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~87D5.tmp

Filesize
6KB

MD5
6a64ef115286878ac8dc6de85f2e384b

SHA1
4c2422fbe793cd5caa90d204de5649a42e47beb4

SHA256
1b75410e85b1cdae1d8b89c8c9213c48e34d4982ad46a532cff0d3b2d5f33fc7

SHA512
1bb60152f6a7573b211d5aaa03adb178fe08241bd7b20b30be1e12a08087b802491f68fa6ba491c46bb7bb4537c24646d72fd0889a036ef603f53788c9ed9a64

Download Submit
C:\Windows\SysWOW64\ddodtall.exe

Filesize
176KB

MD5
4705dbbbdbfe9bb44e6a832ff8146b60

SHA1
e4f8fb232bd6374cf669ccd6f5baf256a1b3278f

SHA256
4f815996d78ae62a5425c217a52431acf4a0f4ae8cfce8197fd34932bb7a6180

SHA512
5f1da98895c3fefb3875d829842ae3960561e743cc2e89c477c5b1e025807e8f35e6ac8733ff87e4022514605bba597d2077a7e88c8f83e4e59a5b1fa56c0734

Download Submit
\Users\Admin\AppData\Roaming\icsuPING\mtstrint.exe

Filesize
176KB

MD5
ef89c72f6aa72cde7417c749fb58ebc6

SHA1
46c2fd7cf6882c805ccf22ca750a4e9fdbf2ee28

SHA256
e3ed03eca6e716bd8002ea465676698978ab937ffcd81b988d83958414107cf8

SHA512
9d6ee052e712cf873cb499c3d80517efebf638d05a5fb5916d50589109b1f19b4fcbd2a730c147593caa3ebb577d09ec321e6b19cc2d41ea56b1a660f6fa434b

Download Submit
memory/1268-17-0x0000000002D10000-0x0000000002D53000-memory.dmp

Filesize
268KB

Download
memory/1268-23-0x0000000002D10000-0x0000000002D53000-memory.dmp

Filesize
268KB

Download
memory/1268-18-0x0000000002D10000-0x0000000002D53000-memory.dmp

Filesize
268KB

Download
memory/2052-0-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/2116-11-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2928-27-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2928-26-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2928-22-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download