Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
14-07-2024 13:04
Static task
static1
Behavioral task
behavioral1
Sample
0243aad4ee7274a8dbaab8b4626a20b0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
0243aad4ee7274a8dbaab8b4626a20b0N.exe
Resource
win10v2004-20240709-en
General
-
Target
0243aad4ee7274a8dbaab8b4626a20b0N.exe
-
Size
225KB
-
MD5
0243aad4ee7274a8dbaab8b4626a20b0
-
SHA1
54bf79dccbda8dcb234037782ecae168805af5a8
-
SHA256
7d4d65476e5ea0d34bcfef154c650be24d38ff58d3b024c1e11052feb68dbc23
-
SHA512
2b5adf2b1716ff22f89719263e81bf0bbd3f1bd0bb825df1d769284fee5df22163a98e971e7e018a3d0e56269d0bec89636115f3b4b19f1727a6f1d3e4766434
-
SSDEEP
6144:7A2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:7ATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\C238C103 = "C:\\Users\\Admin\\AppData\\Roaming\\C238C103\\bin.exe" winver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 61 IoCs
Processes:
winver.exepid process 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2744 winver.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
0243aad4ee7274a8dbaab8b4626a20b0N.exewinver.exedescription pid process target process PID 976 wrote to memory of 2744 976 0243aad4ee7274a8dbaab8b4626a20b0N.exe winver.exe PID 976 wrote to memory of 2744 976 0243aad4ee7274a8dbaab8b4626a20b0N.exe winver.exe PID 976 wrote to memory of 2744 976 0243aad4ee7274a8dbaab8b4626a20b0N.exe winver.exe PID 976 wrote to memory of 2744 976 0243aad4ee7274a8dbaab8b4626a20b0N.exe winver.exe PID 976 wrote to memory of 2744 976 0243aad4ee7274a8dbaab8b4626a20b0N.exe winver.exe PID 2744 wrote to memory of 1204 2744 winver.exe Explorer.EXE PID 2744 wrote to memory of 1104 2744 winver.exe taskhost.exe PID 2744 wrote to memory of 1164 2744 winver.exe Dwm.exe PID 2744 wrote to memory of 1204 2744 winver.exe Explorer.EXE PID 2744 wrote to memory of 1088 2744 winver.exe DllHost.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\0243aad4ee7274a8dbaab8b4626a20b0N.exe"C:\Users\Admin\AppData\Local\Temp\0243aad4ee7274a8dbaab8b4626a20b0N.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/976-8-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1088-26-0x0000000001DF0000-0x0000000001DF6000-memory.dmpFilesize
24KB
-
memory/1088-20-0x0000000001DF0000-0x0000000001DF6000-memory.dmpFilesize
24KB
-
memory/1104-24-0x0000000002170000-0x0000000002176000-memory.dmpFilesize
24KB
-
memory/1104-11-0x0000000002170000-0x0000000002176000-memory.dmpFilesize
24KB
-
memory/1164-27-0x00000000002B0000-0x00000000002B6000-memory.dmpFilesize
24KB
-
memory/1164-14-0x00000000002B0000-0x00000000002B6000-memory.dmpFilesize
24KB
-
memory/1204-17-0x00000000025F0000-0x00000000025F6000-memory.dmpFilesize
24KB
-
memory/1204-3-0x0000000002120000-0x0000000002126000-memory.dmpFilesize
24KB
-
memory/1204-1-0x0000000002120000-0x0000000002126000-memory.dmpFilesize
24KB
-
memory/1204-25-0x00000000025F0000-0x00000000025F6000-memory.dmpFilesize
24KB
-
memory/1204-6-0x0000000002120000-0x0000000002126000-memory.dmpFilesize
24KB
-
memory/2744-23-0x0000000000260000-0x0000000000266000-memory.dmpFilesize
24KB
-
memory/2744-4-0x0000000000160000-0x0000000000166000-memory.dmpFilesize
24KB
-
memory/2744-5-0x0000000000160000-0x0000000000166000-memory.dmpFilesize
24KB
-
memory/2744-29-0x0000000000260000-0x0000000000266000-memory.dmpFilesize
24KB