Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    06/11/2024, 01:01

General

  • Target

    74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe

  • Size

    34KB

  • MD5

    40af464f0782f35bbacd8f4b8f5b7440

  • SHA1

    59e421ee5fee9b5185207a7667fbd6301a7d6b0d

  • SHA256

    74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcd

  • SHA512

    3a5978276aa697333d9fad9f17231bab37a862ab6e6308a6b64b36c04d2c30b15d9e3c4af957bb44404edfa6c6c917951583a281b10bf948ba168a31aba975f1

  • SSDEEP

    384:s+fn2s0F7/KVf8+FiiftR2okw6nUlSeCFufxVguHniYcLMR7:sSm7/KB/ZT9lSdKxVgwiYcLMR

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe
    "C:\Users\Admin\AppData\Local\Temp\74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Disables cmd.exe use via registry modification
    • Sets desktop wallpaper using registry
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C taskkill /F /IM rundll32.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM rundll32.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2780
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C regsvr32 user32.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:568
      • C:\Windows\system32\regsvr32.exe
        regsvr32 user32.dll
        3⤵
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2876
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C rundll32 user32.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\system32\rundll32.exe
        rundll32 user32.dll
        3⤵
          PID:2892
      • C:\Windows\System32\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" user32.dll
        2⤵
          PID:2412
        • C:\Windows\System32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" user32.dll
          2⤵
            PID:2228

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/2000-0-0x000007FEF611E000-0x000007FEF611F000-memory.dmp

                Filesize

                4KB

              • memory/2000-1-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

                Filesize

                9.6MB

              • memory/2000-2-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

                Filesize

                9.6MB

              • memory/2000-3-0x000007FEF611E000-0x000007FEF611F000-memory.dmp

                Filesize

                4KB

              • memory/2000-4-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

                Filesize

                9.6MB