Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 08:59

General

  • Target

    b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe

  • Size

    273KB

  • MD5

    5523f28f2224dde8d74286b09146bb47

  • SHA1

    6bb034d638fcb055bf59afa3e93ac8dce25a3cf5

  • SHA256

    b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9

  • SHA512

    1d5b06d513befaae50e34493b0daa197fb9e4adb876db99aa1766026dad8e6004b24659de71763be47a31b1049c394b0876a7d3846d7827d2c0584deffdab1d0

  • SSDEEP

    6144:+nNuJp9FtYk5k3uZElT63edWRK9Izm/sHgo2TW:+nMp9AYqtoKapHgo2a

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe
    "C:\Users\Admin\AppData\Local\Temp\b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
      2⤵
      • Drops file in Drivers directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2452 -s 224
        3⤵
          PID:2980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\System32\drivers\etc\hosts

      Filesize

      1KB

      MD5

      c55e7b590134bae106d2d8170affe162

      SHA1

      13b61495d4b1460ecb770e42a923c880a73ad692

      SHA256

      5d4c55ac6c8371c79f94a81c1e53fa50b0fa4231cda0fc9d93892739c723c7e7

      SHA512

      99162c8512811021c31c98cffe306b3badd07e779ac73d6da16e16d7597c1c8112b1a78dc33a27f717b13333bedf6a804a757e5030f653aeea41a338492c9e27

    • \Users\Admin\AppData\Roaming\FAF27FEB3947465854224\FAF27FEB3947465854224.exe

      Filesize

      273KB

      MD5

      5523f28f2224dde8d74286b09146bb47

      SHA1

      6bb034d638fcb055bf59afa3e93ac8dce25a3cf5

      SHA256

      b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9

      SHA512

      1d5b06d513befaae50e34493b0daa197fb9e4adb876db99aa1766026dad8e6004b24659de71763be47a31b1049c394b0876a7d3846d7827d2c0584deffdab1d0

    • memory/2452-7-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

      Filesize

      4KB

    • memory/2452-58-0x0000000140000000-0x000000014004A000-memory.dmp

      Filesize

      296KB