Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
06/11/2024, 01:01
Static task
static1
Behavioral task
behavioral1
Sample
74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe
Resource
win10v2004-20241007-en
General
-
Target
74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe
-
Size
34KB
-
MD5
40af464f0782f35bbacd8f4b8f5b7440
-
SHA1
59e421ee5fee9b5185207a7667fbd6301a7d6b0d
-
SHA256
74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcd
-
SHA512
3a5978276aa697333d9fad9f17231bab37a862ab6e6308a6b64b36c04d2c30b15d9e3c4af957bb44404edfa6c6c917951583a281b10bf948ba168a31aba975f1
-
SSDEEP
384:s+fn2s0F7/KVf8+FiiftR2okw6nUlSeCFufxVguHniYcLMR7:sSm7/KB/ZT9lSdKxVgwiYcLMR
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2780 taskkill.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2876 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2780 taskkill.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2000 wrote to memory of 1980 2000 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 31 PID 2000 wrote to memory of 1980 2000 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 31 PID 2000 wrote to memory of 1980 2000 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 31 PID 2000 wrote to memory of 568 2000 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 33 PID 2000 wrote to memory of 568 2000 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 33 PID 2000 wrote to memory of 568 2000 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 33 PID 2000 wrote to memory of 2432 2000 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 35 PID 2000 wrote to memory of 2432 2000 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 35 PID 2000 wrote to memory of 2432 2000 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 35 PID 2000 wrote to memory of 2412 2000 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 37 PID 2000 wrote to memory of 2412 2000 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 37 PID 2000 wrote to memory of 2412 2000 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 37 PID 2000 wrote to memory of 2412 2000 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 37 PID 2000 wrote to memory of 2412 2000 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 37 PID 1980 wrote to memory of 2780 1980 cmd.exe 38 PID 1980 wrote to memory of 2780 1980 cmd.exe 38 PID 1980 wrote to memory of 2780 1980 cmd.exe 38 PID 568 wrote to memory of 2876 568 cmd.exe 39 PID 568 wrote to memory of 2876 568 cmd.exe 39 PID 568 wrote to memory of 2876 568 cmd.exe 39 PID 568 wrote to memory of 2876 568 cmd.exe 39 PID 568 wrote to memory of 2876 568 cmd.exe 39 PID 2000 wrote to memory of 2228 2000 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 40 PID 2000 wrote to memory of 2228 2000 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 40 PID 2000 wrote to memory of 2228 2000 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 40 PID 2432 wrote to memory of 2892 2432 cmd.exe 41 PID 2432 wrote to memory of 2892 2432 cmd.exe 41 PID 2432 wrote to memory of 2892 2432 cmd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe"C:\Users\Admin\AppData\Local\Temp\74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe"1⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C taskkill /F /IM rundll32.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\system32\taskkill.exetaskkill /F /IM rundll32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C regsvr32 user32.dll2⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\system32\regsvr32.exeregsvr32 user32.dll3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2876
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rundll32 user32.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\system32\rundll32.exerundll32 user32.dll3⤵PID:2892
-
-
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" user32.dll2⤵PID:2412
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" user32.dll2⤵PID:2228
-