Analysis
-
max time kernel
119s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2024, 06:52
Static task
static1
Behavioral task
behavioral1
Sample
67171941bf537ca68cbd543f25a9f310N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
67171941bf537ca68cbd543f25a9f310N.exe
Resource
win10v2004-20240709-en
General
-
Target
67171941bf537ca68cbd543f25a9f310N.exe
-
Size
496KB
-
MD5
67171941bf537ca68cbd543f25a9f310
-
SHA1
2bb586b5b12168562263df70391f05cff6b50e0c
-
SHA256
26430f93015e2d36c0500cee32dcfde4fe2d7c0f33fc9110f7c7fd48c6849220
-
SHA512
209caeb9c1f1f7a0c23c361edee0642f04ca9166cd49745b6930449785c9ad165e3b5b685525a5455148a8e8fc76284d509db3ea01338235ab6b76f582e4374b
-
SSDEEP
3072:c4o3aDlGxCLYdvX7oCv4INsTjkdV7UDSxJm2ti4Ms1lzz/:rDDExjFoCQTjkd6GJhi4MsLH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4696 svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\pjLnSX.dll 67171941bf537ca68cbd543f25a9f310N.exe File created C:\Windows\CLOG.txt 67171941bf537ca68cbd543f25a9f310N.exe File created C:\Windows\LpaNugSE.dll svchost.exe File opened for modification C:\Windows\CLOG.txt svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4696 svchost.exe 4696 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1584 wrote to memory of 4696 1584 67171941bf537ca68cbd543f25a9f310N.exe 85 PID 1584 wrote to memory of 4696 1584 67171941bf537ca68cbd543f25a9f310N.exe 85 PID 1584 wrote to memory of 4696 1584 67171941bf537ca68cbd543f25a9f310N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\67171941bf537ca68cbd543f25a9f310N.exe"C:\Users\Admin\AppData\Local\Temp\67171941bf537ca68cbd543f25a9f310N.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\ProgramData\sLuQBh\svchost.exe"C:\ProgramData\sLuQBh\svchost.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496KB
MD52ad345ab3ebd77e20158aec89efdfd08
SHA126bba4da8d848cf475fc1add36e85243cf69605f
SHA2562ea3937b75e9eb3425e282df6a89e0203a9b20710dea9f5bf51257a51bf023f1
SHA512964dad7f16767834f90bdc58c57e224cf420ae1b8739ee3d631e7362b053200fa1eb3a6ab8fdd2825536abb20c7190072f17352b9371ad298bf0c4de60dfc024
-
Filesize
165B
MD5e93059405e9839223b4b249a05d531f6
SHA1925a190b7ae18d44a1f1011ab4b435cf900bac7a
SHA25625aa70b51e01846317db69126b4bc45abdde844b2888747ce46523de94a80b17
SHA512f40a839022ad7c6051a6ff2f2b6ee5e9b27943f8bd136846e86b0a68c8b132d012c503c66bab2b905e12573e9ea3eb3e1e0b44b7d784fb03f62a56d21d594ecb