Analysis

  • max time kernel
    122s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 11:00

General

  • Target

    dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee.exe

  • Size

    800KB

  • MD5

    68e6c48eab8ee9681659d3d47d1c8442

  • SHA1

    0ce069304550e846c8ba47e3198d9c5a3980c26e

  • SHA256

    dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee

  • SHA512

    d8d32ef2d81ead9c13391738bae3368e48940dbf9c4a9c8e990ebf0f58d6d4a745f32c55472a9d704202b549954efed4ef306b2b4ad81596c6a16541118c5008

  • SSDEEP

    12288:1WUovH4E8fkLIJkqNIjqWahIKR/gsk0h97chCVhw3FdCe:1WUovLOqIJk8IjhKC077ch53y

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee.exe
    "C:\Users\Admin\AppData\Local\Temp\dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Users\Admin\AppData\Local\Temp\Executable.exe
      "C:\Users\Admin\AppData\Local\Temp\Executable.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Registry.exe,"
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 38
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2772
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Registry.exe,"
          4⤵
          • Modifies WinLogon for persistence
          • System Location Discovery: System Language Discovery
          PID:848
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c ping 127.0.0.1 -n 44 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Executable.exe" "C:\Users\Admin\AppData\Local\Registry.exe" && ping 127.0.0.1 -n 44 > nul && "C:\Users\Admin\AppData\Local\Registry.exe"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:572
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 44
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1180
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 44
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2012
        • C:\Users\Admin\AppData\Local\Registry.exe
          "C:\Users\Admin\AppData\Local\Registry.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2516
    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\system32\cmd.exe
        "cmd" /c ipconfig /all
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\system32\ipconfig.exe
          ipconfig /all
          4⤵
          • Gathers network information
          PID:2784
      • C:\Windows\system32\cmd.exe
        "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2732
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1176
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2644 -s 1128
        3⤵
        • Loads dropped DLL
        PID:2448

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Executable.exe

          Filesize

          463KB

          MD5

          7348784c1b2435bbfcf65e2b1a6a0fcc

          SHA1

          e5e5cf58ca04c0b11f3468a3d13256ed1f9e6d47

          SHA256

          5ec00bf94260666f70facf9a2c7d16979dd5bad3737c23c17394337caffca282

          SHA512

          a5d5b7a9117553e5ad4ec78e6deea1836bd9252d85dc254ea098210bf186b76c760227a44a032d6bb43408870a53ad52ec73566af73c1d5d9d067be446dd2ffa

        • \Users\Admin\AppData\Local\Temp\Bootstrapper.exe

          Filesize

          800KB

          MD5

          2a4dcf20b82896be94eb538260c5fb93

          SHA1

          21f232c2fd8132f8677e53258562ad98b455e679

          SHA256

          ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

          SHA512

          4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

        • memory/2208-0-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

          Filesize

          4KB

        • memory/2208-1-0x0000000000B50000-0x0000000000BF2000-memory.dmp

          Filesize

          648KB

        • memory/2208-8-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

          Filesize

          9.9MB

        • memory/2208-17-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

          Filesize

          9.9MB

        • memory/2316-20-0x0000000000E10000-0x0000000000E8A000-memory.dmp

          Filesize

          488KB

        • memory/2316-21-0x0000000000480000-0x00000000004C4000-memory.dmp

          Filesize

          272KB

        • memory/2516-38-0x0000000000C70000-0x0000000000CEA000-memory.dmp

          Filesize

          488KB

        • memory/2644-19-0x00000000001F0000-0x00000000002BE000-memory.dmp

          Filesize

          824KB