Behavioral task
behavioral1
Sample
ea16cb89129ab062843c84f6c6661750f18592b051549b265aaf834e100cd6fc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ea16cb89129ab062843c84f6c6661750f18592b051549b265aaf834e100cd6fc.exe
Resource
win10v2004-20240412-en
General
-
Target
3e90705aba37a41167ba16227f849865f2fa8f75002f955c681ec40543da7bf1
-
Size
15KB
-
MD5
e66abf889364f9f792c149d69522338a
-
SHA1
41b147bd433d1305eb0845222be69789732c66d7
-
SHA256
3e90705aba37a41167ba16227f849865f2fa8f75002f955c681ec40543da7bf1
-
SHA512
d8eb6ade4109e15b26de4b92abb0f92fd25b57bfa52f8287d703a5950d1196ab1469836fe3058fae49cd7bcf74b1314803fc6a6ee91c605298c1a33603e97865
-
SSDEEP
384:QMcqcZa2gWd9rCH6vICwkCBHNt8J5awnsIcdmVp/:5KZPfdC/CY0PcdmT/
Malware Config
Signatures
-
Industroyer IEC-104 Module 1 IoCs
Contains strings related to Industroyer module used to communicate with power transmission grids over IEC-104 protocol.
resource yara_rule static1/unpack001/ea16cb89129ab062843c84f6c6661750f18592b051549b265aaf834e100cd6fc.exe win_industroyer_w3 -
Industroyer family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource unpack001/ea16cb89129ab062843c84f6c6661750f18592b051549b265aaf834e100cd6fc.exe
Files
-
3e90705aba37a41167ba16227f849865f2fa8f75002f955c681ec40543da7bf1.zip
Password: infected
-
ea16cb89129ab062843c84f6c6661750f18592b051549b265aaf834e100cd6fc.exe.exe windows:5 windows x86 arch:x86
2cf6ff919d8af9170b36d01b351744f3
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
kernel32
HeapFree
HeapSize
HeapReAlloc
HeapAlloc
GetProcessHeap
SetWaitableTimer
EnterCriticalSection
CreateWaitableTimerW
WaitForMultipleObjects
LeaveCriticalSection
InitializeCriticalSection
GetExitCodeThread
TerminateThread
CloseHandle
CreateThread
DeleteCriticalSection
CompareFileTime
WaitForMultipleObjectsEx
OpenEventW
FileTimeToSystemTime
SystemTimeToFileTime
GetSystemTime
MultiByteToWideChar
WideCharToMultiByte
GetStdHandle
WriteFile
InterlockedCompareExchange
CreateFileW
Sleep
GetCommandLineW
LocalFree
ExitProcess
MoveFileA
Process32First
TerminateProcess
OpenProcess
CreateToolhelp32Snapshot
GetLastError
Process32Next
ws2_32
WSAStartup
select
send
__WSAFDIsSet
WSACleanup
inet_addr
socket
connect
recv
htons
ioctlsocket
setsockopt
WSAGetLastError
closesocket
shell32
CommandLineToArgvW
oleaut32
VarDateFromStr
VariantTimeToSystemTime
shlwapi
wvnsprintfA
StrToIntA
wnsprintfW
Sections
.text Size: 28KB - Virtual size: 28KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 6KB - Virtual size: 5KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 101B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 1024B - Virtual size: 820B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ