Resubmissions
05/05/2024, 20:46
240505-zkp6xsde2x 105/05/2024, 20:46
240505-zkd4nagf23 105/05/2024, 20:45
240505-zjph1add71 3Analysis
-
max time kernel
15s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/05/2024, 20:45
Static task
static1
Behavioral task
behavioral1
Sample
xterm_fun.bin
Resource
win7-20240221-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
xterm_fun.bin
Resource
win10v2004-20240419-en
3 signatures
150 seconds
General
-
Target
xterm_fun.bin
-
Size
1KB
-
MD5
4edc13fd7ccd7db1884adb8fd41e4966
-
SHA1
07f3632ca2d088803ba24bad7a99aa14fa06fd44
-
SHA256
5706a78e802e699883b3973b918ca31d27da71a8bcc018ba3be13b7e314258b0
-
SHA512
0883a358cedf171bb15a3500c397309f31438732ed6b9906043c3ba3efd725555d7ce8319747f85723d833575db9572ab181053098e8881b003047fae9a1274a
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2888 3036 cmd.exe 29 PID 3036 wrote to memory of 2888 3036 cmd.exe 29 PID 3036 wrote to memory of 2888 3036 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\xterm_fun.bin1⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\xterm_fun.bin2⤵
- Modifies registry class
PID:2888
-