Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 07:06
Static task
static1
Behavioral task
behavioral1
Sample
11b838aafbea231e6d9ac7b4cd578b83.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
11b838aafbea231e6d9ac7b4cd578b83.exe
Resource
win10v2004-20231215-en
General
-
Target
11b838aafbea231e6d9ac7b4cd578b83.exe
-
Size
1.4MB
-
MD5
11b838aafbea231e6d9ac7b4cd578b83
-
SHA1
1517d0b4608754311f7afcf82e347a765f79ac8f
-
SHA256
0488a07343371881b2d6b461e0c21403aab39b8fbe669814ed70c850ec4eebe1
-
SHA512
a185fd320dbfcfd8a39cfdfc26fb906807aa0f37b62aae676b98db424c3c4c3e42243ab75ccb4b89e1bd4e6ed4cb04eb50698935bd9b3ad163d580c7f673be54
-
SSDEEP
24576:2FRukAzt8uSHp8X9V0ESdQpglO1CxDyawn27h+9hrlgKQY9SGcZwCdTp:G0k2t8TmX9V0RIglO1CuL9VNcaCd9
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2972 ResHacker.exe 3052 tmp.tmp.tmp1 2596 appl_.exe 2624 heqlh.exe -
resource yara_rule behavioral1/memory/2596-33-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2624-42-0x0000000000400000-0x0000000000501000-memory.dmp upx behavioral1/memory/3052-41-0x0000000000400000-0x0000000000501000-memory.dmp upx behavioral1/memory/3052-21-0x0000000000400000-0x0000000000501000-memory.dmp upx behavioral1/memory/2624-48-0x0000000000400000-0x0000000000501000-memory.dmp upx behavioral1/memory/2596-47-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2596-61-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2596-65-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2596-74-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2596-77-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2596-98-0x0000000000400000-0x0000000000457000-memory.dmp upx -
Unexpected DNS network traffic destination 11 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 147.178.2.5 Destination IP 209.75.26.6 Destination IP 63.201.251.38 Destination IP 211.111.208.207 Destination IP 57.68.16.11 Destination IP 198.89.137.240 Destination IP 207.231.129.132 Destination IP 152.3.250.2 Destination IP 216.53.5.50 Destination IP 209.135.36.204 Destination IP 130.36.61.200 -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 appl_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\ResHacker.exe 11b838aafbea231e6d9ac7b4cd578b83.exe File opened for modification C:\Windows\tmp.tmp.tmp1 11b838aafbea231e6d9ac7b4cd578b83.exe File created C:\Windows\heqlh.exe tmp.tmp.tmp1 File created C:\Windows\appl_.exe tmp.tmp.tmp1 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0 tmp.tmp.tmp1 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier tmp.tmp.tmp1 Key opened \REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0 heqlh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier heqlh.exe -
Suspicious use of SetWindowsHookEx 37 IoCs
pid Process 3004 11b838aafbea231e6d9ac7b4cd578b83.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe 2596 appl_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3004 wrote to memory of 2972 3004 11b838aafbea231e6d9ac7b4cd578b83.exe 22 PID 3004 wrote to memory of 2972 3004 11b838aafbea231e6d9ac7b4cd578b83.exe 22 PID 3004 wrote to memory of 2972 3004 11b838aafbea231e6d9ac7b4cd578b83.exe 22 PID 3004 wrote to memory of 2972 3004 11b838aafbea231e6d9ac7b4cd578b83.exe 22 PID 3004 wrote to memory of 3052 3004 11b838aafbea231e6d9ac7b4cd578b83.exe 21 PID 3004 wrote to memory of 3052 3004 11b838aafbea231e6d9ac7b4cd578b83.exe 21 PID 3004 wrote to memory of 3052 3004 11b838aafbea231e6d9ac7b4cd578b83.exe 21 PID 3004 wrote to memory of 3052 3004 11b838aafbea231e6d9ac7b4cd578b83.exe 21 PID 3052 wrote to memory of 2596 3052 tmp.tmp.tmp1 20 PID 3052 wrote to memory of 2596 3052 tmp.tmp.tmp1 20 PID 3052 wrote to memory of 2596 3052 tmp.tmp.tmp1 20 PID 3052 wrote to memory of 2596 3052 tmp.tmp.tmp1 20 PID 3052 wrote to memory of 2624 3052 tmp.tmp.tmp1 19 PID 3052 wrote to memory of 2624 3052 tmp.tmp.tmp1 19 PID 3052 wrote to memory of 2624 3052 tmp.tmp.tmp1 19 PID 3052 wrote to memory of 2624 3052 tmp.tmp.tmp1 19
Processes
-
C:\Users\Admin\AppData\Local\Temp\11b838aafbea231e6d9ac7b4cd578b83.exe"C:\Users\Admin\AppData\Local\Temp\11b838aafbea231e6d9ac7b4cd578b83.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\tmp.tmp.tmp1C:\Windows\tmp.tmp.tmp12⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3052
-
-
C:\Windows\ResHacker.exe"C:\Windows\ResHacker.exe"2⤵
- Executes dropped EXE
PID:2972
-
-
C:\Windows\heqlh.exeC:\Windows\heqlh.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2624
-
C:\Windows\appl_.exeC:\Windows\appl_.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:2596