488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080

Analysis

max time kernel
97s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080.exe
Size

1.9MB
MD5

5bca1374bb59683f15dafbab2d6c881f
SHA1

6fba6489319bd702f3a75a66657f1520cb91b4ba
SHA256

488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080
SHA512

86379299bc454bc2e547340efe539d14b6c73d0110fe9c795e20792299acf577f4268054e8f7928467685c8eab27ff67d85086f76ed61320d75a40742d118cee
SSDEEP

49152:QxYwjnM5v+OZZ0MpB1TXGTy7NxxMjmRqIAe2:aRMYOx0yBvMIqI32

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

dfdfterw.exesihost32.exe

pid	Process
2356	dfdfterw.exe
2648	sihost32.exe

Loads dropped DLL 4 IoCs

Processes:

cmd.execonhost.exe

pid	Process
2744	cmd.exe
2744	cmd.exe
1576	conhost.exe
1576	conhost.exe

Drops file in System32 directory 3 IoCs

Processes:

conhost.execonhost.exe

description	ioc	Process
File created	C:\Windows\system32\dfdfterw.exe	conhost.exe
File opened for modification	C:\Windows\system32\dfdfterw.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	conhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
2764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

conhost.execonhost.exe

pid	Process
1172	conhost.exe
1576	conhost.exe
1576	conhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

conhost.execonhost.exe

description	pid	Process
Token: SeDebugPrivilege	1172	conhost.exe
Token: SeDebugPrivilege	1576	conhost.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080.execonhost.execmd.execmd.exedfdfterw.execonhost.exesihost32.exe

description	pid	Process	procid_target
PID 2820 wrote to memory of 1172	2820	488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080.exe	30
PID 2820 wrote to memory of 1172	2820	488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080.exe	30
PID 2820 wrote to memory of 1172	2820	488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080.exe	30
PID 2820 wrote to memory of 1172	2820	488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080.exe	30
PID 1172 wrote to memory of 3028	1172	conhost.exe	32
PID 1172 wrote to memory of 3028	1172	conhost.exe	32
PID 1172 wrote to memory of 3028	1172	conhost.exe	32
PID 3028 wrote to memory of 2764	3028	cmd.exe	34
PID 3028 wrote to memory of 2764	3028	cmd.exe	34
PID 3028 wrote to memory of 2764	3028	cmd.exe	34
PID 1172 wrote to memory of 2744	1172	conhost.exe	35
PID 1172 wrote to memory of 2744	1172	conhost.exe	35
PID 1172 wrote to memory of 2744	1172	conhost.exe	35
PID 2744 wrote to memory of 2356	2744	cmd.exe	37
PID 2744 wrote to memory of 2356	2744	cmd.exe	37
PID 2744 wrote to memory of 2356	2744	cmd.exe	37
PID 2356 wrote to memory of 1576	2356	dfdfterw.exe	38
PID 2356 wrote to memory of 1576	2356	dfdfterw.exe	38
PID 2356 wrote to memory of 1576	2356	dfdfterw.exe	38
PID 2356 wrote to memory of 1576	2356	dfdfterw.exe	38
PID 1576 wrote to memory of 2648	1576	conhost.exe	39
PID 1576 wrote to memory of 2648	1576	conhost.exe	39
PID 1576 wrote to memory of 2648	1576	conhost.exe	39
PID 2648 wrote to memory of 2148	2648	sihost32.exe	40
PID 2648 wrote to memory of 2148	2648	sihost32.exe	40
PID 2648 wrote to memory of 2148	2648	sihost32.exe	40
PID 2648 wrote to memory of 2148	2648	sihost32.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080.exe
"C:\Users\Admin\AppData\Local\Temp\488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "dfdfterw" /tr "C:\Windows\system32\dfdfterw.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "dfdfterw" /tr "C:\Windows\system32\dfdfterw.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2764
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Windows\system32\dfdfterw.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\system32\dfdfterw.exe
      C:\Windows\system32\dfdfterw.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\dfdfterw.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost32"
        7⤵
        
        PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\Microsoft\Telemetry\sihost32.exe

Filesize
31KB

MD5
d714870cb4a643fa0aacf4a96f0e2a57

SHA1
b9e25cd58d2c77ba1f6fb070a5dedb64083056f2

SHA256
5c2b4f9deb3876840cb302d4d85f3ec113ca40b7c5ef2c2f0d624232ac1b99eb

SHA512
16778204628a0e915f893500867b7b5739f0f1fcf693b5e6912522ea81d9e6cab70a00b7d8a1209bfc73d089b2ddf995519560570dfc028975b8fea3c737dc8f

Download Submit
C:\Windows\System32\dfdfterw.exe

Filesize
1.9MB

MD5
5bca1374bb59683f15dafbab2d6c881f

SHA1
6fba6489319bd702f3a75a66657f1520cb91b4ba

SHA256
488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080

SHA512
86379299bc454bc2e547340efe539d14b6c73d0110fe9c795e20792299acf577f4268054e8f7928467685c8eab27ff67d85086f76ed61320d75a40742d118cee

Download Submit
memory/1172-15-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/1172-1-0x000007FEF6423000-0x000007FEF6424000-memory.dmp

Filesize
4KB

Download
memory/1172-4-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/1172-5-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/1172-6-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/1172-7-0x000007FEF6423000-0x000007FEF6424000-memory.dmp

Filesize
4KB

Download
memory/1172-8-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/1172-2-0x000000001B170000-0x000000001B362000-memory.dmp

Filesize
1.9MB

Download
memory/1172-0-0x0000000000230000-0x0000000000421000-memory.dmp

Filesize
1.9MB

Download
memory/1172-3-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/1576-17-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

Filesize
4KB

Download
memory/1576-19-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/1576-18-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/1576-28-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/1576-21-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/1576-31-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2148-32-0x0000000000060000-0x0000000000066000-memory.dmp

Filesize
24KB

Download
memory/2148-33-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download