Overview
overview
10Static
static
31.2.6.0.zip
windows10-2004-x64
11.2.6.0.zip
windows11-21h2-x64
11.2.6.0.zip
macos-10.15-amd64
11.2.6.0.zip
ubuntu-24.04-amd64
1.2.6.0/1.2.6.0.lnk
windows10-2004-x64
101.2.6.0/1.2.6.0.lnk
windows11-21h2-x64
101.2.6.0/1.2.6.0.lnk
macos-10.15-amd64
11.2.6.0/1.2.6.0.lnk
ubuntu-24.04-amd64
Resubmissions
19-06-2024 02:56
240619-de4w8ssenf 1019-06-2024 02:46
240619-c9g6aasdnh 1019-06-2024 02:42
240619-c69fcssdlh 3Analysis
-
max time kernel
211s -
max time network
279s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-06-2024 02:46
Static task
static1
Behavioral task
behavioral1
Sample
1.2.6.0.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
1.2.6.0.zip
Resource
win11-20240419-en
Behavioral task
behavioral3
Sample
1.2.6.0.zip
Resource
macos-20240611-en
Behavioral task
behavioral4
Sample
1.2.6.0.zip
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral5
Sample
1.2.6.0/1.2.6.0.lnk
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
1.2.6.0/1.2.6.0.lnk
Resource
win11-20240611-en
Behavioral task
behavioral7
Sample
1.2.6.0/1.2.6.0.lnk
Resource
macos-20240611-en
Behavioral task
behavioral8
Sample
1.2.6.0/1.2.6.0.lnk
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
1.2.6.0/1.2.6.0.lnk
-
Size
1KB
-
MD5
ed1743440a109e87c91b9702c80303aa
-
SHA1
d0214b75e865b7375ad60753165823738f14a674
-
SHA256
bc267a377de2a1c28b9e484188153b1593b10f6d1b9e27e7a10532dbdfb8feeb
-
SHA512
a965901436aea141d3246b90728ceffd6721d1f58f24bc6b69b0e44c0a656e17867aeb3cd42f52a78c32137c14db4e64c67646fcfbfd639a5aafee469c392dfc
Malware Config
Extracted
Protocol: ftp- Host:
94.156.8.173 - Port:
21 - Username:
anonymous - Password:
anonymous@
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 3644 wrote to memory of 1772 3644 cmd.exe run.exe PID 3644 wrote to memory of 1772 3644 cmd.exe run.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\1.2.6.0\1.2.6.0.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\1.2.6.0\run.dist\run.exe"C:\Users\Admin\AppData\Local\Temp\1.2.6.0\run.dist\run.exe"2⤵PID:1772
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\f721881715cf4f6fb8ae0cdc1a7135a7 /t 1684 /p 17721⤵PID:4044
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\a27d3e8fdd664041b2c227d1a19377f8 /t 1684 /p 17721⤵PID:2108