Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 23:58
Behavioral task
behavioral1
Sample
3269b681ee1b6f8e489ab1725edfc810N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3269b681ee1b6f8e489ab1725edfc810N.exe
Resource
win10v2004-20240709-en
General
-
Target
3269b681ee1b6f8e489ab1725edfc810N.exe
-
Size
45KB
-
MD5
3269b681ee1b6f8e489ab1725edfc810
-
SHA1
3c08e612a160e88bc52533ba365b28b5b7774b14
-
SHA256
1222699a8e4b76b05652a522b62fa37f47d9b4662b3e4e1e3cf7b01e93d92376
-
SHA512
15a1b32bde51cc1371933cca3fd1cd355414c2a8c7a905c8aab769af2495d368cbdae49dd77f4b0fca46e0fa5b20ec0104b4dc2f519449eb85f21c05c9597cf3
-
SSDEEP
768:VhP0kDE9N5dCA8J7VHXdrIniQaBTT+QQ+r1n4K8+C9TtIuCjaqUODvJVQ2f:HsWE9N5dFu53dsniQaB/xZ14n7zIF+qr
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2312-0-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\A2D33379 = "C:\\Users\\Admin\\AppData\\Roaming\\A2D33379\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 57 IoCs
Processes:
winver.exepid process 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe 2804 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2804 winver.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
3269b681ee1b6f8e489ab1725edfc810N.exewinver.exedescription pid process target process PID 2312 wrote to memory of 2804 2312 3269b681ee1b6f8e489ab1725edfc810N.exe winver.exe PID 2312 wrote to memory of 2804 2312 3269b681ee1b6f8e489ab1725edfc810N.exe winver.exe PID 2312 wrote to memory of 2804 2312 3269b681ee1b6f8e489ab1725edfc810N.exe winver.exe PID 2312 wrote to memory of 2804 2312 3269b681ee1b6f8e489ab1725edfc810N.exe winver.exe PID 2312 wrote to memory of 2804 2312 3269b681ee1b6f8e489ab1725edfc810N.exe winver.exe PID 2804 wrote to memory of 1244 2804 winver.exe Explorer.EXE PID 2804 wrote to memory of 1112 2804 winver.exe taskhost.exe PID 2804 wrote to memory of 1212 2804 winver.exe Dwm.exe PID 2804 wrote to memory of 1244 2804 winver.exe Explorer.EXE PID 2804 wrote to memory of 660 2804 winver.exe DllHost.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\3269b681ee1b6f8e489ab1725edfc810N.exe"C:\Users\Admin\AppData\Local\Temp\3269b681ee1b6f8e489ab1725edfc810N.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/660-28-0x0000000001CB0000-0x0000000001CB6000-memory.dmpFilesize
24KB
-
memory/660-24-0x0000000001CB0000-0x0000000001CB6000-memory.dmpFilesize
24KB
-
memory/660-29-0x0000000077BA1000-0x0000000077BA2000-memory.dmpFilesize
4KB
-
memory/1112-25-0x0000000001E90000-0x0000000001E96000-memory.dmpFilesize
24KB
-
memory/1112-26-0x0000000077BA1000-0x0000000077BA2000-memory.dmpFilesize
4KB
-
memory/1212-30-0x0000000000330000-0x0000000000336000-memory.dmpFilesize
24KB
-
memory/1212-20-0x0000000000330000-0x0000000000336000-memory.dmpFilesize
24KB
-
memory/1244-27-0x00000000021A0000-0x00000000021A6000-memory.dmpFilesize
24KB
-
memory/1244-10-0x0000000077BA1000-0x0000000077BA2000-memory.dmpFilesize
4KB
-
memory/1244-2-0x00000000029C0000-0x00000000029C6000-memory.dmpFilesize
24KB
-
memory/1244-22-0x00000000021A0000-0x00000000021A6000-memory.dmpFilesize
24KB
-
memory/1244-3-0x00000000029C0000-0x00000000029C6000-memory.dmpFilesize
24KB
-
memory/1244-4-0x00000000029C0000-0x00000000029C6000-memory.dmpFilesize
24KB
-
memory/2312-5-0x0000000001CE0000-0x00000000026E0000-memory.dmpFilesize
10.0MB
-
memory/2312-12-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2312-0-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2312-1-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/2804-6-0x0000000000160000-0x0000000000166000-memory.dmpFilesize
24KB
-
memory/2804-7-0x0000000077D50000-0x0000000077D51000-memory.dmpFilesize
4KB
-
memory/2804-8-0x0000000077D4F000-0x0000000077D50000-memory.dmpFilesize
4KB
-
memory/2804-11-0x0000000077B50000-0x0000000077CF9000-memory.dmpFilesize
1.7MB
-
memory/2804-9-0x0000000077D4F000-0x0000000077D51000-memory.dmpFilesize
8KB
-
memory/2804-35-0x0000000000160000-0x0000000000166000-memory.dmpFilesize
24KB