Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
10-10-2023 13:07
Static task
static1
Behavioral task
behavioral1
Sample
aa06f9712e5468f9df30cd124b2f26d9d5a3f2eb46fa23af594ced8b7c69322f.exe
Resource
win7-20230831-en
General
-
Target
aa06f9712e5468f9df30cd124b2f26d9d5a3f2eb46fa23af594ced8b7c69322f.exe
-
Size
416KB
-
MD5
82114dfe88bcc2f83faf00cb8bef998b
-
SHA1
a68c7e580774b489937ca9510bed20a2af5b2f35
-
SHA256
aa06f9712e5468f9df30cd124b2f26d9d5a3f2eb46fa23af594ced8b7c69322f
-
SHA512
1fb0d58cd2545d6d9d40c0772a6ee223c11e33c327c8e65e0636558e06fa2f04ac70c4c3b0a00df99f22146889cb28f4d5d764a1b5a6428d3143838e0953b2b5
-
SSDEEP
12288:PYUObZYMG+yTIFRXzWq49tmG+jZmvA5Vapysf:PYUAY+b149tmkA5Vaj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Control Panel\International\Geo\Nation czcluww.exe -
Executes dropped EXE 2 IoCs
pid Process 2324 czcluww.exe 1352 czcluww.exe -
Loads dropped DLL 3 IoCs
pid Process 2060 aa06f9712e5468f9df30cd124b2f26d9d5a3f2eb46fa23af594ced8b7c69322f.exe 2324 czcluww.exe 2868 NAPSTAT.EXE -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2324 set thread context of 1352 2324 czcluww.exe 29 PID 1352 set thread context of 1276 1352 czcluww.exe 3 PID 1352 set thread context of 2868 1352 czcluww.exe 32 PID 2868 set thread context of 1276 2868 NAPSTAT.EXE 3 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \Registry\User\S-1-5-21-3185155662-718608226-894467740-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NAPSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1352 czcluww.exe 1352 czcluww.exe 1352 czcluww.exe 1352 czcluww.exe 1352 czcluww.exe 1352 czcluww.exe 1352 czcluww.exe 1352 czcluww.exe 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1276 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 2324 czcluww.exe 1352 czcluww.exe 1276 Explorer.EXE 1276 Explorer.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE 2868 NAPSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1352 czcluww.exe Token: SeDebugPrivilege 2868 NAPSTAT.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2324 2060 aa06f9712e5468f9df30cd124b2f26d9d5a3f2eb46fa23af594ced8b7c69322f.exe 28 PID 2060 wrote to memory of 2324 2060 aa06f9712e5468f9df30cd124b2f26d9d5a3f2eb46fa23af594ced8b7c69322f.exe 28 PID 2060 wrote to memory of 2324 2060 aa06f9712e5468f9df30cd124b2f26d9d5a3f2eb46fa23af594ced8b7c69322f.exe 28 PID 2060 wrote to memory of 2324 2060 aa06f9712e5468f9df30cd124b2f26d9d5a3f2eb46fa23af594ced8b7c69322f.exe 28 PID 2324 wrote to memory of 1352 2324 czcluww.exe 29 PID 2324 wrote to memory of 1352 2324 czcluww.exe 29 PID 2324 wrote to memory of 1352 2324 czcluww.exe 29 PID 2324 wrote to memory of 1352 2324 czcluww.exe 29 PID 2324 wrote to memory of 1352 2324 czcluww.exe 29 PID 1276 wrote to memory of 2868 1276 Explorer.EXE 32 PID 1276 wrote to memory of 2868 1276 Explorer.EXE 32 PID 1276 wrote to memory of 2868 1276 Explorer.EXE 32 PID 1276 wrote to memory of 2868 1276 Explorer.EXE 32 PID 2868 wrote to memory of 1504 2868 NAPSTAT.EXE 35 PID 2868 wrote to memory of 1504 2868 NAPSTAT.EXE 35 PID 2868 wrote to memory of 1504 2868 NAPSTAT.EXE 35 PID 2868 wrote to memory of 1504 2868 NAPSTAT.EXE 35 PID 2868 wrote to memory of 1504 2868 NAPSTAT.EXE 35
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\aa06f9712e5468f9df30cd124b2f26d9d5a3f2eb46fa23af594ced8b7c69322f.exe"C:\Users\Admin\AppData\Local\Temp\aa06f9712e5468f9df30cd124b2f26d9d5a3f2eb46fa23af594ced8b7c69322f.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\czcluww.exe"C:\Users\Admin\AppData\Local\Temp\czcluww.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\czcluww.exe"C:\Users\Admin\AppData\Local\Temp\czcluww.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
-
-
C:\Windows\SysWOW64\NAPSTAT.EXE"C:\Windows\SysWOW64\NAPSTAT.EXE"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1504
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
MD533d5fa5bef2e6823aa4ccdff75283e76
SHA1d0486f4ba1d6c80de7ae5b5a15c643a1c9308bab
SHA256e134b99d2ade9c093f7c9721d3b0fb24de22aaee386b6f208f59deb8d60e2b89
SHA5121a82dd68b43cafe03b0114e3f45d9050371519d6805982ccbf2848af271a9793cee2f6ec192e09acd3e2684da6c6a991522805752ac786aa3550023f24800c4e
-
Filesize
296KB
MD533d5fa5bef2e6823aa4ccdff75283e76
SHA1d0486f4ba1d6c80de7ae5b5a15c643a1c9308bab
SHA256e134b99d2ade9c093f7c9721d3b0fb24de22aaee386b6f208f59deb8d60e2b89
SHA5121a82dd68b43cafe03b0114e3f45d9050371519d6805982ccbf2848af271a9793cee2f6ec192e09acd3e2684da6c6a991522805752ac786aa3550023f24800c4e
-
Filesize
296KB
MD533d5fa5bef2e6823aa4ccdff75283e76
SHA1d0486f4ba1d6c80de7ae5b5a15c643a1c9308bab
SHA256e134b99d2ade9c093f7c9721d3b0fb24de22aaee386b6f208f59deb8d60e2b89
SHA5121a82dd68b43cafe03b0114e3f45d9050371519d6805982ccbf2848af271a9793cee2f6ec192e09acd3e2684da6c6a991522805752ac786aa3550023f24800c4e
-
Filesize
250KB
MD5c970890b59d5878e9cf6fb0f6828c782
SHA120c1dab981e7acb23369c5379bee73ca80c02176
SHA256890ff18194050060390a7769cfe46572e08dee422d1117c3ba8a66d09dc4cd17
SHA512f031fb577651bf900e9a8eae6239b5654b45932971ad8718f8ced991bf2c17a6cbb650094c49a3070c3b0e1f133629bc2d20f4a23a8b58520a3530c2373160c7
-
Filesize
431KB
MD5fa9b7c190006303eecddffa019d0be06
SHA1a97cebc176b3daa453189f2c0b7cf2a5a70f9c92
SHA256dc7f8b3493543dc086cb43b66401893597f993408f18b437e5c8e8b5544db0bf
SHA5124c293ef052a14f7527aa42d451ba5f4cfdf7fb7203f583eda34ef24f4a2fd13975553c432a9354a0f8c1de924b0c29a819bd34c7aaa03b642372496a75be0532
-
Filesize
296KB
MD533d5fa5bef2e6823aa4ccdff75283e76
SHA1d0486f4ba1d6c80de7ae5b5a15c643a1c9308bab
SHA256e134b99d2ade9c093f7c9721d3b0fb24de22aaee386b6f208f59deb8d60e2b89
SHA5121a82dd68b43cafe03b0114e3f45d9050371519d6805982ccbf2848af271a9793cee2f6ec192e09acd3e2684da6c6a991522805752ac786aa3550023f24800c4e
-
Filesize
296KB
MD533d5fa5bef2e6823aa4ccdff75283e76
SHA1d0486f4ba1d6c80de7ae5b5a15c643a1c9308bab
SHA256e134b99d2ade9c093f7c9721d3b0fb24de22aaee386b6f208f59deb8d60e2b89
SHA5121a82dd68b43cafe03b0114e3f45d9050371519d6805982ccbf2848af271a9793cee2f6ec192e09acd3e2684da6c6a991522805752ac786aa3550023f24800c4e
-
Filesize
825KB
MD500a91261929192a7facc32a9f330029a
SHA17df4ffdf48a6df0bac21a82d6db56aa11db470dc
SHA256c1de8eca6419634c5f6e0e8c6ef14d9b3daa28fa28e8d1c4ce0175dbc310a77f
SHA51218a178ca0e70fa6e8f04b4ae229cfd6ef0df252e3fd85d09cf79f89e69ada89e3479db83227095a8c16325b1dc27c9ec0c782af304f7ce0afa78c2e25b49b01e