Analysis
-
max time kernel
23s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 19:52
General
-
Target
putty.exe
-
Size
45KB
-
MD5
4d820f671919b3029173d8659aa59600
-
SHA1
af68a0b9e9c58dcbdd2ede205c30537bca39650c
-
SHA256
c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0
-
SHA512
5db8f64f97765447bbebe42044984ae73cc1b418c5d2616cd3d4cf0bcf03014c1883d37d4dcaffa35cf5d0453301495f8d01f6e01ff4c516be019147f0f33d6e
-
SSDEEP
768:1dhO/poiiUcjlJInVZZbH9Xqk5nWEZ5SbTDacuI7CPW5r:Lw+jjgndbH9XqcnW85SbT5uIj
Malware Config
Extracted
xenorat
performance-ha.gl.at.ply.gg
Putty
-
delay
5000
-
install_path
appdata
-
port
33365
-
startup_name
Windows Updater
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation putty.exe -
Executes dropped EXE 1 IoCs
pid Process 2732 putty.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4408 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3896 wrote to memory of 2732 3896 putty.exe 83 PID 3896 wrote to memory of 2732 3896 putty.exe 83 PID 3896 wrote to memory of 2732 3896 putty.exe 83 PID 2732 wrote to memory of 4408 2732 putty.exe 91 PID 2732 wrote to memory of 4408 2732 putty.exe 91 PID 2732 wrote to memory of 4408 2732 putty.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\putty.exe"C:\Users\Admin\AppData\Local\Temp\putty.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Users\Admin\AppData\Roaming\XenoManager\putty.exe"C:\Users\Admin\AppData\Roaming\XenoManager\putty.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp63FA.tmp" /F3⤵
- Creates scheduled task(s)
PID:4408
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD507b73e4a02c60fc71857670f85685de2
SHA1c29ec082e095280bb5dbd88084eadc95298cd922
SHA2567e250b4c9b733f4b5f384fb20f60573ad788bbb512fecb0ad32e4813defa3e8b
SHA5125282e77ae7568ec8b51d3b13f7093cd522c65a36711c6bd76a66120d33ca3b69f9e817b1d25d041da7915bec09a8d6dd8c1701b66e3ac5c9bc8ce9d0b31d53ad
-
Filesize
45KB
MD54d820f671919b3029173d8659aa59600
SHA1af68a0b9e9c58dcbdd2ede205c30537bca39650c
SHA256c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0
SHA5125db8f64f97765447bbebe42044984ae73cc1b418c5d2616cd3d4cf0bcf03014c1883d37d4dcaffa35cf5d0453301495f8d01f6e01ff4c516be019147f0f33d6e