Analysis
-
max time kernel
23s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 19:52
General
-
Target
putty.exe
-
Size
45KB
-
MD5
4d820f671919b3029173d8659aa59600
-
SHA1
af68a0b9e9c58dcbdd2ede205c30537bca39650c
-
SHA256
c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0
-
SHA512
5db8f64f97765447bbebe42044984ae73cc1b418c5d2616cd3d4cf0bcf03014c1883d37d4dcaffa35cf5d0453301495f8d01f6e01ff4c516be019147f0f33d6e
-
SSDEEP
768:1dhO/poiiUcjlJInVZZbH9Xqk5nWEZ5SbTDacuI7CPW5r:Lw+jjgndbH9XqcnW85SbT5uIj
Malware Config
Extracted
xenorat
performance-ha.gl.at.ply.gg
Putty
-
delay
5000
-
install_path
appdata
-
port
33365
-
startup_name
Windows Updater
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
putty.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation putty.exe -
Executes dropped EXE 1 IoCs
Processes:
putty.exepid process 2732 putty.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
putty.exeputty.exedescription pid process target process PID 3896 wrote to memory of 2732 3896 putty.exe putty.exe PID 3896 wrote to memory of 2732 3896 putty.exe putty.exe PID 3896 wrote to memory of 2732 3896 putty.exe putty.exe PID 2732 wrote to memory of 4408 2732 putty.exe schtasks.exe PID 2732 wrote to memory of 4408 2732 putty.exe schtasks.exe PID 2732 wrote to memory of 4408 2732 putty.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\putty.exe"C:\Users\Admin\AppData\Local\Temp\putty.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XenoManager\putty.exe"C:\Users\Admin\AppData\Roaming\XenoManager\putty.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp63FA.tmp" /F3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp63FA.tmpFilesize
1KB
MD507b73e4a02c60fc71857670f85685de2
SHA1c29ec082e095280bb5dbd88084eadc95298cd922
SHA2567e250b4c9b733f4b5f384fb20f60573ad788bbb512fecb0ad32e4813defa3e8b
SHA5125282e77ae7568ec8b51d3b13f7093cd522c65a36711c6bd76a66120d33ca3b69f9e817b1d25d041da7915bec09a8d6dd8c1701b66e3ac5c9bc8ce9d0b31d53ad
-
C:\Users\Admin\AppData\Roaming\XenoManager\putty.exeFilesize
45KB
MD54d820f671919b3029173d8659aa59600
SHA1af68a0b9e9c58dcbdd2ede205c30537bca39650c
SHA256c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0
SHA5125db8f64f97765447bbebe42044984ae73cc1b418c5d2616cd3d4cf0bcf03014c1883d37d4dcaffa35cf5d0453301495f8d01f6e01ff4c516be019147f0f33d6e
-
memory/2732-14-0x0000000074AE0000-0x0000000075290000-memory.dmpFilesize
7.7MB
-
memory/2732-17-0x0000000074AE0000-0x0000000075290000-memory.dmpFilesize
7.7MB
-
memory/3896-0-0x0000000074AEE000-0x0000000074AEF000-memory.dmpFilesize
4KB
-
memory/3896-1-0x0000000000650000-0x0000000000662000-memory.dmpFilesize
72KB