Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12-07-2024 02:07
Static task
static1
Behavioral task
behavioral1
Sample
261671551f4b2c549af30d3c9165ced0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
261671551f4b2c549af30d3c9165ced0N.exe
Resource
win10v2004-20240709-en
General
-
Target
261671551f4b2c549af30d3c9165ced0N.exe
-
Size
225KB
-
MD5
261671551f4b2c549af30d3c9165ced0
-
SHA1
af77c63ce9b6a83e4276aa81f1feb8d14a88b810
-
SHA256
fd60b3d45d3f37279dd1db72d4c74cc7bc5264189eaa60484b77bf5c881f4307
-
SHA512
c5ce800f855ad6a93223b164f66d144b7e9f155e8e332b912e0677406a5e49dcd3ff3de5a6487269adf2aaaa83bdb547ccb247253b2074981cf842510a67ac76
-
SSDEEP
6144:BA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:BATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\1B0A26B6 = "C:\\Users\\Admin\\AppData\\Roaming\\1B0A26B6\\bin.exe" winver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
winver.exepid process 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe 2652 winver.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
winver.exeExplorer.EXEpid process 2652 winver.exe 1188 Explorer.EXE 1188 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1188 Explorer.EXE 1188 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
261671551f4b2c549af30d3c9165ced0N.exewinver.exedescription pid process target process PID 1960 wrote to memory of 2652 1960 261671551f4b2c549af30d3c9165ced0N.exe winver.exe PID 1960 wrote to memory of 2652 1960 261671551f4b2c549af30d3c9165ced0N.exe winver.exe PID 1960 wrote to memory of 2652 1960 261671551f4b2c549af30d3c9165ced0N.exe winver.exe PID 1960 wrote to memory of 2652 1960 261671551f4b2c549af30d3c9165ced0N.exe winver.exe PID 1960 wrote to memory of 2652 1960 261671551f4b2c549af30d3c9165ced0N.exe winver.exe PID 2652 wrote to memory of 1188 2652 winver.exe Explorer.EXE PID 2652 wrote to memory of 1088 2652 winver.exe taskhost.exe PID 2652 wrote to memory of 1160 2652 winver.exe Dwm.exe PID 2652 wrote to memory of 1188 2652 winver.exe Explorer.EXE PID 2652 wrote to memory of 1652 2652 winver.exe DllHost.exe PID 2652 wrote to memory of 1960 2652 winver.exe 261671551f4b2c549af30d3c9165ced0N.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\261671551f4b2c549af30d3c9165ced0N.exe"C:\Users\Admin\AppData\Local\Temp\261671551f4b2c549af30d3c9165ced0N.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1088-26-0x0000000000410000-0x0000000000416000-memory.dmpFilesize
24KB
-
memory/1088-9-0x0000000000410000-0x0000000000416000-memory.dmpFilesize
24KB
-
memory/1160-12-0x0000000000390000-0x0000000000396000-memory.dmpFilesize
24KB
-
memory/1160-28-0x0000000000390000-0x0000000000396000-memory.dmpFilesize
24KB
-
memory/1188-15-0x00000000025A0000-0x00000000025A6000-memory.dmpFilesize
24KB
-
memory/1188-6-0x0000000002550000-0x0000000002556000-memory.dmpFilesize
24KB
-
memory/1188-1-0x0000000002550000-0x0000000002556000-memory.dmpFilesize
24KB
-
memory/1188-3-0x0000000002550000-0x0000000002556000-memory.dmpFilesize
24KB
-
memory/1188-27-0x00000000025A0000-0x00000000025A6000-memory.dmpFilesize
24KB
-
memory/1652-18-0x0000000001F90000-0x0000000001F96000-memory.dmpFilesize
24KB
-
memory/1652-29-0x0000000001F90000-0x0000000001F96000-memory.dmpFilesize
24KB
-
memory/1960-25-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2652-23-0x00000000002D0000-0x00000000002D6000-memory.dmpFilesize
24KB
-
memory/2652-4-0x00000000000B0000-0x00000000000B6000-memory.dmpFilesize
24KB
-
memory/2652-31-0x00000000002D0000-0x00000000002D6000-memory.dmpFilesize
24KB