Analysis
-
max time kernel
142s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/03/2024, 00:51
Behavioral task
behavioral1
Sample
b35df2b5bfd716d04d9e73f29d33cfb4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b35df2b5bfd716d04d9e73f29d33cfb4.exe
Resource
win10v2004-20240226-en
General
-
Target
b35df2b5bfd716d04d9e73f29d33cfb4.exe
-
Size
2.9MB
-
MD5
b35df2b5bfd716d04d9e73f29d33cfb4
-
SHA1
abe74a1da3f90da74bed2e3648668308b6f06bd7
-
SHA256
17e75d26155509f37f0309982ad4ed831df19bb3b61b4b10851ce520487619e6
-
SHA512
19addc0b6b912d8c90901d1f4811a2b5c7e2426b0d5435f84a067a2cca527c4d173d8968f9eee18aca49e855b707c5fa743e27c94694bb16a226095582f1925d
-
SSDEEP
49152:UtgQNNmhRX61578r06UQBfvggdae+NNpjk7MMHfBhm2xjCtub03xZiqGQ:UORXW57zLQ5IgwNNpjUnHfBJvw3xQq
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\systen32 = "C:\\Windows\\system32\\systen32.exe" b35df2b5bfd716d04d9e73f29d33cfb4.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\systen32.exe b35df2b5bfd716d04d9e73f29d33cfb4.exe File opened for modification C:\Windows\SysWOW64\systen32.exe b35df2b5bfd716d04d9e73f29d33cfb4.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\reg_88448888.txt b35df2b5bfd716d04d9e73f29d33cfb4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1856 schtasks.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1640 b35df2b5bfd716d04d9e73f29d33cfb4.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1640 wrote to memory of 1856 1640 b35df2b5bfd716d04d9e73f29d33cfb4.exe 28 PID 1640 wrote to memory of 1856 1640 b35df2b5bfd716d04d9e73f29d33cfb4.exe 28 PID 1640 wrote to memory of 1856 1640 b35df2b5bfd716d04d9e73f29d33cfb4.exe 28 PID 1640 wrote to memory of 1856 1640 b35df2b5bfd716d04d9e73f29d33cfb4.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b35df2b5bfd716d04d9e73f29d33cfb4.exe"C:\Users\Admin\AppData\Local\Temp\b35df2b5bfd716d04d9e73f29d33cfb4.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn startt /tr c:\start.bat /sc onstart /ru system2⤵
- Creates scheduled task(s)
PID:1856
-