Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:43
Static task
static1
Behavioral task
behavioral1
Sample
aL4N.exe
Resource
win7-20240220-en
General
-
Target
aL4N.exe
-
Size
684KB
-
MD5
8be9a518d5e5d5aa5f2fe7f0b122f901
-
SHA1
398ffdbb4cec5b16d5ef43200ff2d91167e97ac6
-
SHA256
6cd56f8b0f3051ce9f26ae38ad4a63cabb913380a35741028bdccb78ac5b0edf
-
SHA512
945ff2ce0725b1c694186f3e550607532898bdcea1ee314e84975f8a7744b4b7f083981866033d62e46b86e8c1c6aca1bcf9a1057d9a19d4e318a7a16e63b61e
-
SSDEEP
12288:ehkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aCURfc3D:uRmJkcoQricOIQxiZY1iaC2c3D
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2552 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aL4N.exe aL4N.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aL4N.exe aL4N.exe -
Executes dropped EXE 1 IoCs
pid Process 2516 aL4N.exe -
Loads dropped DLL 4 IoCs
pid Process 2872 aL4N.exe 2872 aL4N.exe 2872 aL4N.exe 2872 aL4N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\aL4N.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\aL4N.exe\"" aL4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aL4N.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\aL4N.exe\"" aL4N.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: aL4N.exe File opened (read-only) \??\n: aL4N.exe File opened (read-only) \??\t: aL4N.exe File opened (read-only) \??\v: aL4N.exe File opened (read-only) \??\w: aL4N.exe File opened (read-only) \??\b: aL4N.exe File opened (read-only) \??\h: aL4N.exe File opened (read-only) \??\j: aL4N.exe File opened (read-only) \??\l: aL4N.exe File opened (read-only) \??\q: aL4N.exe File opened (read-only) \??\y: aL4N.exe File opened (read-only) \??\z: aL4N.exe File opened (read-only) \??\e: aL4N.exe File opened (read-only) \??\g: aL4N.exe File opened (read-only) \??\o: aL4N.exe File opened (read-only) \??\p: aL4N.exe File opened (read-only) \??\r: aL4N.exe File opened (read-only) \??\u: aL4N.exe File opened (read-only) \??\x: aL4N.exe File opened (read-only) \??\a: aL4N.exe File opened (read-only) \??\k: aL4N.exe File opened (read-only) \??\m: aL4N.exe File opened (read-only) \??\s: aL4N.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000b000000015d59-4.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2516 2872 aL4N.exe 28 PID 2872 wrote to memory of 2516 2872 aL4N.exe 28 PID 2872 wrote to memory of 2516 2872 aL4N.exe 28 PID 2872 wrote to memory of 2516 2872 aL4N.exe 28 PID 2516 wrote to memory of 2552 2516 aL4N.exe 29 PID 2516 wrote to memory of 2552 2516 aL4N.exe 29 PID 2516 wrote to memory of 2552 2516 aL4N.exe 29 PID 2516 wrote to memory of 2552 2516 aL4N.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\aL4N.exe"C:\Users\Admin\AppData\Local\Temp\aL4N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Roaming\aL4N.exe"C:\Users\Admin\AppData\Roaming\aL4N.exe" "del" C:\Users\Admin\AppData\Local\Temp\aL4N.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\aL4N.exe" "aL4N.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2552
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2460
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11B
MD5301a3e5a5c08c60b2952122a97e1a838
SHA1c85da2ebd9e1098eed686b8c74016bee728bb942
SHA25689886e624db56b7f7e7a0a857fc7e63ebfffe9eb69b329489b79dd0a3e24f7fa
SHA512ce1dcdad347d6c8e6a798b915f8a8d8ac1be4851c0064ab62e80aa85103a472f402b688e94950099a812db1134917fe9d51a7dfa0504e0174e94acdad8ee34d9
-
Filesize
684KB
MD58be9a518d5e5d5aa5f2fe7f0b122f901
SHA1398ffdbb4cec5b16d5ef43200ff2d91167e97ac6
SHA2566cd56f8b0f3051ce9f26ae38ad4a63cabb913380a35741028bdccb78ac5b0edf
SHA512945ff2ce0725b1c694186f3e550607532898bdcea1ee314e84975f8a7744b4b7f083981866033d62e46b86e8c1c6aca1bcf9a1057d9a19d4e318a7a16e63b61e