Overview
overview
10Static
static
10017b236bf3...d6.exe
windows7-x64
10017b236bf3...d6.exe
windows10-2004-x64
1005676f2007...fb.exe
windows7-x64
305676f2007...fb.exe
windows10-2004-x64
70a025116a8...57.exe
windows7-x64
80a025116a8...57.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
31.exe
windows7-x64
81.exe
windows10-2004-x64
818674bbd9a...38.exe
windows7-x64
818674bbd9a...38.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3234901adb1...b2.exe
windows7-x64
10234901adb1...b2.exe
windows10-2004-x64
102ae06537d1...b6.exe
windows7-x64
82ae06537d1...b6.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
32c02c65090...91.exe
windows7-x64
72c02c65090...91.exe
windows10-2004-x64
73.exe
windows7-x64
103.exe
windows10-2004-x64
10329b3ddbf1...f9.exe
windows7-x64
10329b3ddbf1...f9.exe
windows10-2004-x64
10336fe6e8bc...de.exe
windows7-x64
8336fe6e8bc...de.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
34bd31921c8...be.exe
windows7-x64
84bd31921c8...be.exe
windows10-2004-x64
8Analysis
-
max time kernel
14s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 13:46
Behavioral task
behavioral1
Sample
017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
0a025116a860d7568fbda8ed84925cac06b13d6441eddf7428ac79359cd09b57.exe
Resource
win7-20241023-en
Behavioral task
behavioral6
Sample
0a025116a860d7568fbda8ed84925cac06b13d6441eddf7428ac79359cd09b57.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
1.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
18674bbd9af6e4e7396363a4f7d72312a50514f72ee4c4ceb131738801100438.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
18674bbd9af6e4e7396363a4f7d72312a50514f72ee4c4ceb131738801100438.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
2ae06537d1e90d4ac1d2bca7c6309c9d1958f3e1ae9d7625bd914b10609d41b6.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
2ae06537d1e90d4ac1d2bca7c6309c9d1958f3e1ae9d7625bd914b10609d41b6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
3.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
336fe6e8bcdbe46641a6124436547df8e1090d978e3777d220bfa7553c9903de.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
336fe6e8bcdbe46641a6124436547df8e1090d978e3777d220bfa7553c9903de.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240729-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
4bd31921c87104105a1f11a3cbe3a93bf74593220f70bf70f678d2d468c991be.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
4bd31921c87104105a1f11a3cbe3a93bf74593220f70bf70f678d2d468c991be.exe
Resource
win10v2004-20241007-en
General
-
Target
05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
-
Size
16KB
-
MD5
ffe4f9b654ff2900c2361444e1b8cc11
-
SHA1
e19af8a7a59f36f6dc60fccf3fed14558485400c
-
SHA256
05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb
-
SHA512
0c6b6103ec9666dd55549e9825d1b22705eb113ca3e323f4d39ef375ab58280467bc0b2677345929f46f1d558a58d356a8e469b020bb184710b18ee1220a3413
-
SSDEEP
384:CaeADspZKz4N+D8eoeH2uA1L7P+TPXHTBO:/spIz4N+9F2uA1nqP3g
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2792 powershell.exe 3036 powershell.exe 2544 powershell.exe 2620 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 2620 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 880 wrote to memory of 2792 880 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 31 PID 880 wrote to memory of 2792 880 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 31 PID 880 wrote to memory of 2792 880 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 31 PID 880 wrote to memory of 2544 880 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 32 PID 880 wrote to memory of 2544 880 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 32 PID 880 wrote to memory of 2544 880 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 32 PID 880 wrote to memory of 2620 880 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 34 PID 880 wrote to memory of 2620 880 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 34 PID 880 wrote to memory of 2620 880 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 34 PID 880 wrote to memory of 3036 880 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 36 PID 880 wrote to memory of 3036 880 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 36 PID 880 wrote to memory of 3036 880 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe"C:\Users\Admin\AppData\Local\Temp\05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software -Name 'ISUSED' -PropertyType String -Value 'True'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software -Name 'SYS1' -PropertyType String -Value 'jKI1AOJiEyyZWRkrS9MJJ/wVpMCsd+Kq'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software -Name 'SYS2' -PropertyType String -Value 'iDC1xgNkcyY='2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58022ec79d6379a929b3b40a6cf0bbe63
SHA178714bbfbc70b88300e7656f28b74e15f3ab82bb
SHA256180a443504c8855ca82be733420eda15dceddf7ecc256cf43b89cdee74702439
SHA5125bf60d46fbeaa23b4a51ccd73b6227a64112530eacc302b0989f4ee502a9c8a41b1132a2839054a39fa0d3cf96a1bdfac92ad36520a321f946eef376519f4f04
-
Filesize
1001B
MD5a62c810eea9a251896ce7dec54ea4510
SHA1589179ab0c9f962fc0c06438deb3de5cbcd38b6e
SHA25633b503f866dc442df1dc822a01b330c2c79b8415cc9b195c40880cd43b643097
SHA51261dfa3127546c4d5b69cf32752288111b06b047e8f336bca698411c42c8642ab952b17e8d84c163d94f60964901accaa0c073b85104ac275b50cab3b9cd8bcd9