Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 07:36
Behavioral task
behavioral1
Sample
71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe
-
Size
627KB
-
MD5
70b5ca289fa630db5715f047212a5403
-
SHA1
e6e4d63c0be8cbad0517c4ae1a56b1beefac5980
-
SHA256
71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166
-
SHA512
e347f690dd54bb48e63a12ba8c63fd7617eafa9b03aea73a4ab107cca3838723bf38a0d3ed36a2e43d3ae6876f26ffd3f27230220fab430f389c90bb2a0aff84
-
SSDEEP
12288:lOqvQomCg4G6q90tmPvj+GU/ttJuqwh3EQiXRUVZs4ixsiNhkApRawx:xoovgbAKvBgtJuqwh3EQihUb1ifNh9
Score
10/10
Malware Config
Signatures
-
DarkTrack payload 5 IoCs
resource yara_rule behavioral2/memory/624-0-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral2/memory/624-1-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral2/files/0x0006000000023211-8.dat family_darktrack behavioral2/memory/624-12-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral2/memory/1788-16-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe -
Executes dropped EXE 1 IoCs
pid Process 1788 Sys32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sys32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Sys32.exe" notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1788 Sys32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 3556 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 95 PID 624 wrote to memory of 1788 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 97 PID 624 wrote to memory of 1788 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 97 PID 624 wrote to memory of 1788 624 71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe 97 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 3208 1788 Sys32.exe 98 PID 1788 wrote to memory of 1604 1788 Sys32.exe 99 PID 1788 wrote to memory of 1604 1788 Sys32.exe 99 PID 1788 wrote to memory of 1604 1788 Sys32.exe 99 PID 1788 wrote to memory of 1604 1788 Sys32.exe 99 PID 1788 wrote to memory of 1604 1788 Sys32.exe 99 PID 1788 wrote to memory of 1604 1788 Sys32.exe 99 PID 1788 wrote to memory of 1604 1788 Sys32.exe 99 PID 1788 wrote to memory of 1604 1788 Sys32.exe 99 PID 1788 wrote to memory of 1604 1788 Sys32.exe 99 PID 1788 wrote to memory of 1604 1788 Sys32.exe 99 PID 1788 wrote to memory of 1604 1788 Sys32.exe 99 PID 1788 wrote to memory of 1604 1788 Sys32.exe 99 PID 1788 wrote to memory of 1604 1788 Sys32.exe 99 PID 1788 wrote to memory of 1604 1788 Sys32.exe 99 PID 1788 wrote to memory of 1604 1788 Sys32.exe 99 PID 1788 wrote to memory of 1604 1788 Sys32.exe 99 PID 1788 wrote to memory of 1604 1788 Sys32.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe"C:\Users\Admin\AppData\Local\Temp\71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵PID:3556
-
-
C:\Users\Admin\AppData\Roaming\Sys32.exe"C:\Users\Admin\AppData\Roaming\Sys32.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:3208
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
PID:1604
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
627KB
MD570b5ca289fa630db5715f047212a5403
SHA1e6e4d63c0be8cbad0517c4ae1a56b1beefac5980
SHA25671d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166
SHA512e347f690dd54bb48e63a12ba8c63fd7617eafa9b03aea73a4ab107cca3838723bf38a0d3ed36a2e43d3ae6876f26ffd3f27230220fab430f389c90bb2a0aff84