Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 19:57
Static task
static1
Behavioral task
behavioral1
Sample
1f6e686bc0a76bab458cfec64a150a325dbf50109315cbea43e4612d2b222723.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
1f6e686bc0a76bab458cfec64a150a325dbf50109315cbea43e4612d2b222723.exe
Resource
win10v2004-20240709-en
General
-
Target
1f6e686bc0a76bab458cfec64a150a325dbf50109315cbea43e4612d2b222723.exe
-
Size
225KB
-
MD5
b9c80472836036f3715f68d64d0784de
-
SHA1
d37d90640870910b15b0999b0083cd05df64b42d
-
SHA256
1f6e686bc0a76bab458cfec64a150a325dbf50109315cbea43e4612d2b222723
-
SHA512
cda4caeeb238d5bc3435b093b1254f9a6fb53dc9cea84d69a16c715a173c87007a9f6a0c76ff38daaa5fa50676633f9ad16ac8cd73772f5a4aab66a72e2b01b0
-
SSDEEP
6144:BA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:BATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\2EB33889 = "C:\\Users\\Admin\\AppData\\Roaming\\2EB33889\\bin.exe" winver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 57 IoCs
Processes:
winver.exepid process 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2804 winver.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
1f6e686bc0a76bab458cfec64a150a325dbf50109315cbea43e4612d2b222723.exewinver.exedescription pid process target process PID 1944 wrote to memory of 2804 1944 1f6e686bc0a76bab458cfec64a150a325dbf50109315cbea43e4612d2b222723.exe winver.exe PID 1944 wrote to memory of 2804 1944 1f6e686bc0a76bab458cfec64a150a325dbf50109315cbea43e4612d2b222723.exe winver.exe PID 1944 wrote to memory of 2804 1944 1f6e686bc0a76bab458cfec64a150a325dbf50109315cbea43e4612d2b222723.exe winver.exe PID 1944 wrote to memory of 2804 1944 1f6e686bc0a76bab458cfec64a150a325dbf50109315cbea43e4612d2b222723.exe winver.exe PID 1944 wrote to memory of 2804 1944 1f6e686bc0a76bab458cfec64a150a325dbf50109315cbea43e4612d2b222723.exe winver.exe PID 2804 wrote to memory of 1384 2804 winver.exe Explorer.EXE PID 2804 wrote to memory of 1232 2804 winver.exe taskhost.exe PID 2804 wrote to memory of 1328 2804 winver.exe Dwm.exe PID 2804 wrote to memory of 1384 2804 winver.exe Explorer.EXE PID 2804 wrote to memory of 1240 2804 winver.exe DllHost.exe PID 2804 wrote to memory of 1944 2804 winver.exe 1f6e686bc0a76bab458cfec64a150a325dbf50109315cbea43e4612d2b222723.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1f6e686bc0a76bab458cfec64a150a325dbf50109315cbea43e4612d2b222723.exe"C:\Users\Admin\AppData\Local\Temp\1f6e686bc0a76bab458cfec64a150a325dbf50109315cbea43e4612d2b222723.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1232-29-0x00000000003A0000-0x00000000003A6000-memory.dmpFilesize
24KB
-
memory/1232-9-0x00000000003A0000-0x00000000003A6000-memory.dmpFilesize
24KB
-
memory/1240-18-0x0000000001CA0000-0x0000000001CA6000-memory.dmpFilesize
24KB
-
memory/1240-26-0x0000000001CA0000-0x0000000001CA6000-memory.dmpFilesize
24KB
-
memory/1328-27-0x00000000019C0000-0x00000000019C6000-memory.dmpFilesize
24KB
-
memory/1328-12-0x00000000019C0000-0x00000000019C6000-memory.dmpFilesize
24KB
-
memory/1384-15-0x0000000002660000-0x0000000002666000-memory.dmpFilesize
24KB
-
memory/1384-1-0x0000000002610000-0x0000000002616000-memory.dmpFilesize
24KB
-
memory/1384-3-0x0000000002610000-0x0000000002616000-memory.dmpFilesize
24KB
-
memory/1384-6-0x0000000002610000-0x0000000002616000-memory.dmpFilesize
24KB
-
memory/1384-28-0x0000000002660000-0x0000000002666000-memory.dmpFilesize
24KB
-
memory/1944-25-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2804-23-0x0000000000270000-0x0000000000276000-memory.dmpFilesize
24KB
-
memory/2804-5-0x0000000000140000-0x0000000000146000-memory.dmpFilesize
24KB
-
memory/2804-4-0x0000000000140000-0x0000000000146000-memory.dmpFilesize
24KB
-
memory/2804-31-0x0000000000270000-0x0000000000276000-memory.dmpFilesize
24KB