Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15-07-2024 04:52
Static task
static1
Behavioral task
behavioral1
Sample
85d4c08f11644f140e799ad3e4334820N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
85d4c08f11644f140e799ad3e4334820N.exe
Resource
win10v2004-20240709-en
General
-
Target
85d4c08f11644f140e799ad3e4334820N.exe
-
Size
225KB
-
MD5
85d4c08f11644f140e799ad3e4334820
-
SHA1
32560142b603b7633aa8822a445fb710f2619b67
-
SHA256
3ef01dd76204678308f6e001dc14bf7892f6582ac0255f30e77929c359f8b608
-
SHA512
1db90db0497d06fc5739b4742d3c222622ea7c118b0c29a84fed925042c825626c9f3e6e9ff2a2d8061eb4fa8877fbc2a6dd8fc3277378ee5d5560864d049eec
-
SSDEEP
6144:PA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:PATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\385784E1 = "C:\\Users\\Admin\\AppData\\Roaming\\385784E1\\bin.exe" winver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
winver.exepid process 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe 2764 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2764 winver.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
85d4c08f11644f140e799ad3e4334820N.exewinver.exedescription pid process target process PID 2292 wrote to memory of 2764 2292 85d4c08f11644f140e799ad3e4334820N.exe winver.exe PID 2292 wrote to memory of 2764 2292 85d4c08f11644f140e799ad3e4334820N.exe winver.exe PID 2292 wrote to memory of 2764 2292 85d4c08f11644f140e799ad3e4334820N.exe winver.exe PID 2292 wrote to memory of 2764 2292 85d4c08f11644f140e799ad3e4334820N.exe winver.exe PID 2292 wrote to memory of 2764 2292 85d4c08f11644f140e799ad3e4334820N.exe winver.exe PID 2764 wrote to memory of 1228 2764 winver.exe Explorer.EXE PID 2764 wrote to memory of 1112 2764 winver.exe taskhost.exe PID 2764 wrote to memory of 1168 2764 winver.exe Dwm.exe PID 2764 wrote to memory of 1228 2764 winver.exe Explorer.EXE PID 2764 wrote to memory of 2044 2764 winver.exe DllHost.exe PID 2764 wrote to memory of 2292 2764 winver.exe 85d4c08f11644f140e799ad3e4334820N.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\85d4c08f11644f140e799ad3e4334820N.exe"C:\Users\Admin\AppData\Local\Temp\85d4c08f11644f140e799ad3e4334820N.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1112-26-0x00000000001D0000-0x00000000001D6000-memory.dmpFilesize
24KB
-
memory/1112-9-0x00000000001D0000-0x00000000001D6000-memory.dmpFilesize
24KB
-
memory/1168-12-0x0000000001F90000-0x0000000001F96000-memory.dmpFilesize
24KB
-
memory/1168-28-0x0000000001F90000-0x0000000001F96000-memory.dmpFilesize
24KB
-
memory/1228-15-0x0000000002500000-0x0000000002506000-memory.dmpFilesize
24KB
-
memory/1228-1-0x00000000024F0000-0x00000000024F6000-memory.dmpFilesize
24KB
-
memory/1228-3-0x00000000024F0000-0x00000000024F6000-memory.dmpFilesize
24KB
-
memory/1228-6-0x00000000024F0000-0x00000000024F6000-memory.dmpFilesize
24KB
-
memory/1228-27-0x0000000002500000-0x0000000002506000-memory.dmpFilesize
24KB
-
memory/2044-18-0x0000000001CA0000-0x0000000001CA6000-memory.dmpFilesize
24KB
-
memory/2044-29-0x0000000001CA0000-0x0000000001CA6000-memory.dmpFilesize
24KB
-
memory/2292-25-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2764-23-0x0000000000270000-0x0000000000276000-memory.dmpFilesize
24KB
-
memory/2764-4-0x0000000000160000-0x0000000000166000-memory.dmpFilesize
24KB
-
memory/2764-31-0x0000000000270000-0x0000000000276000-memory.dmpFilesize
24KB