Analysis
-
max time kernel
148s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
11/06/2024, 01:14
Static task
static1
Behavioral task
behavioral1
Sample
019a3cbf6e010648c95022f85d62f860.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
019a3cbf6e010648c95022f85d62f860.exe
Resource
win10v2004-20240426-en
General
-
Target
019a3cbf6e010648c95022f85d62f860.exe
-
Size
88KB
-
MD5
019a3cbf6e010648c95022f85d62f860
-
SHA1
ad9b5306c6a4414eaf8deba1844f44385f851007
-
SHA256
197cad7906f9104440c231c2ada1d29ee21bcd355b20ce743a241e55e229df9f
-
SHA512
2c494e93ef603d0a0dea2e79ae8fe862b0f48d6297f54f992a45df93c2d92807e535bc7c1b1d03d431bd81a8c84ce88ef29428cb67f1e890f26571bba72f7a61
-
SSDEEP
1536:ahUDofByDJWbMGcEFLPEPKOJUsy1+VMA:aIofBHbKMP0PvMA
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1304 explorer.exe 1088 explorer.exe 1524 explorer.exe 1860 explorer.exe -
Loads dropped DLL 7 IoCs
pid Process 2780 019a3cbf6e010648c95022f85d62f860.exe 2780 019a3cbf6e010648c95022f85d62f860.exe 2780 019a3cbf6e010648c95022f85d62f860.exe 2780 019a3cbf6e010648c95022f85d62f860.exe 2780 019a3cbf6e010648c95022f85d62f860.exe 1304 explorer.exe 1304 explorer.exe -
resource yara_rule behavioral1/memory/2780-138-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2780-136-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2780-141-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2780-142-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2780-143-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2780-318-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1088-338-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Video Driver = "C:\\Users\\Admin\\AppData\\Roaming\\config\\explorer.exe" reg.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 992 set thread context of 2780 992 019a3cbf6e010648c95022f85d62f860.exe 28 PID 1304 set thread context of 1088 1304 explorer.exe 33 PID 1304 set thread context of 1524 1304 explorer.exe 34 PID 1524 set thread context of 1860 1524 explorer.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 992 019a3cbf6e010648c95022f85d62f860.exe 2780 019a3cbf6e010648c95022f85d62f860.exe 1304 explorer.exe 1088 explorer.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 992 wrote to memory of 2780 992 019a3cbf6e010648c95022f85d62f860.exe 28 PID 992 wrote to memory of 2780 992 019a3cbf6e010648c95022f85d62f860.exe 28 PID 992 wrote to memory of 2780 992 019a3cbf6e010648c95022f85d62f860.exe 28 PID 992 wrote to memory of 2780 992 019a3cbf6e010648c95022f85d62f860.exe 28 PID 992 wrote to memory of 2780 992 019a3cbf6e010648c95022f85d62f860.exe 28 PID 992 wrote to memory of 2780 992 019a3cbf6e010648c95022f85d62f860.exe 28 PID 992 wrote to memory of 2780 992 019a3cbf6e010648c95022f85d62f860.exe 28 PID 992 wrote to memory of 2780 992 019a3cbf6e010648c95022f85d62f860.exe 28 PID 2780 wrote to memory of 1424 2780 019a3cbf6e010648c95022f85d62f860.exe 29 PID 2780 wrote to memory of 1424 2780 019a3cbf6e010648c95022f85d62f860.exe 29 PID 2780 wrote to memory of 1424 2780 019a3cbf6e010648c95022f85d62f860.exe 29 PID 2780 wrote to memory of 1424 2780 019a3cbf6e010648c95022f85d62f860.exe 29 PID 1424 wrote to memory of 2380 1424 cmd.exe 31 PID 1424 wrote to memory of 2380 1424 cmd.exe 31 PID 1424 wrote to memory of 2380 1424 cmd.exe 31 PID 1424 wrote to memory of 2380 1424 cmd.exe 31 PID 2780 wrote to memory of 1304 2780 019a3cbf6e010648c95022f85d62f860.exe 32 PID 2780 wrote to memory of 1304 2780 019a3cbf6e010648c95022f85d62f860.exe 32 PID 2780 wrote to memory of 1304 2780 019a3cbf6e010648c95022f85d62f860.exe 32 PID 2780 wrote to memory of 1304 2780 019a3cbf6e010648c95022f85d62f860.exe 32 PID 1304 wrote to memory of 1088 1304 explorer.exe 33 PID 1304 wrote to memory of 1088 1304 explorer.exe 33 PID 1304 wrote to memory of 1088 1304 explorer.exe 33 PID 1304 wrote to memory of 1088 1304 explorer.exe 33 PID 1304 wrote to memory of 1088 1304 explorer.exe 33 PID 1304 wrote to memory of 1088 1304 explorer.exe 33 PID 1304 wrote to memory of 1088 1304 explorer.exe 33 PID 1304 wrote to memory of 1088 1304 explorer.exe 33 PID 1304 wrote to memory of 1524 1304 explorer.exe 34 PID 1304 wrote to memory of 1524 1304 explorer.exe 34 PID 1304 wrote to memory of 1524 1304 explorer.exe 34 PID 1304 wrote to memory of 1524 1304 explorer.exe 34 PID 1304 wrote to memory of 1524 1304 explorer.exe 34 PID 1304 wrote to memory of 1524 1304 explorer.exe 34 PID 1304 wrote to memory of 1524 1304 explorer.exe 34 PID 1304 wrote to memory of 1524 1304 explorer.exe 34 PID 1524 wrote to memory of 1860 1524 explorer.exe 35 PID 1524 wrote to memory of 1860 1524 explorer.exe 35 PID 1524 wrote to memory of 1860 1524 explorer.exe 35 PID 1524 wrote to memory of 1860 1524 explorer.exe 35 PID 1524 wrote to memory of 1860 1524 explorer.exe 35 PID 1524 wrote to memory of 1860 1524 explorer.exe 35 PID 1524 wrote to memory of 1860 1524 explorer.exe 35 PID 1524 wrote to memory of 1860 1524 explorer.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe"C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe"C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FTSEM.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config\explorer.exe" /f4⤵
- Adds Run key to start application
PID:2380
-
-
-
C:\Users\Admin\AppData\Roaming\config\explorer.exe"C:\Users\Admin\AppData\Roaming\config\explorer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Roaming\config\explorer.exe"C:\Users\Admin\AppData\Roaming\config\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1088
-
-
C:\Users\Admin\AppData\Roaming\config\explorer.exe"C:\Users\Admin\AppData\Roaming\config\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Roaming\config\explorer.exe"C:\Users\Admin\AppData\Roaming\config\explorer.exe"5⤵
- Executes dropped EXE
PID:1860
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149B
MD5fc1798b7c7938454220fda837a76f354
SHA1b232912930b2bc24ff18bf7ecd58f872bbe01ea0
SHA2567f0a5917b5aca9c5beb153aad0ef95bf0aeafb83768da5b086c3f029ba42d7c8
SHA512d1abdd45a8e5d33893b9d19424174a07feed145d2e6b4be318ab5fde503f850579a4a101a010f30e16ecde2c7123f45357a8341214655321ee0f0097ca911331
-
Filesize
88KB
MD5ddea40eeb762234a5acd123260f719c1
SHA1dab0c958bc6a206a323291a7d476a2a3438384f5
SHA2565a0a705a463472d81586e46301c02b5d42d96e1f0e3a11fa8c888e0e4ef66db8
SHA512ec3ea86e46d144a64969b9f46fb2f8bb347467d19794dec2ed75da18b1032b647add7921eb41c7d43f63dd206f8c5a590b834831bf6508c1419858c908bd9e5c