Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 06:59
Static task
static1
Behavioral task
behavioral1
Sample
6886b964f5242f6f99d65f0bbd6ff660N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
6886b964f5242f6f99d65f0bbd6ff660N.exe
Resource
win10v2004-20240709-en
General
-
Target
6886b964f5242f6f99d65f0bbd6ff660N.exe
-
Size
225KB
-
MD5
6886b964f5242f6f99d65f0bbd6ff660
-
SHA1
95056aa9c77ca91f64a31425f2c80766961b523d
-
SHA256
49fd87eb13c0773f3e50d5cf4a18938c3a1a36fcd6768b193b061e37390513b9
-
SHA512
ea667e9187d90a544e4df2262b500201c52e3ce0e7b23d91a99403723287d91ee8571a92e0ce4b6b04ecce37cadde1cc26ee01b7f748d5d5b2332c59918d41de
-
SSDEEP
6144:XA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:XATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\00ADF4D6 = "C:\\Users\\Admin\\AppData\\Roaming\\00ADF4D6\\bin.exe" winver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
winver.exepid process 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe 2860 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2860 winver.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
6886b964f5242f6f99d65f0bbd6ff660N.exewinver.exedescription pid process target process PID 2156 wrote to memory of 2860 2156 6886b964f5242f6f99d65f0bbd6ff660N.exe winver.exe PID 2156 wrote to memory of 2860 2156 6886b964f5242f6f99d65f0bbd6ff660N.exe winver.exe PID 2156 wrote to memory of 2860 2156 6886b964f5242f6f99d65f0bbd6ff660N.exe winver.exe PID 2156 wrote to memory of 2860 2156 6886b964f5242f6f99d65f0bbd6ff660N.exe winver.exe PID 2156 wrote to memory of 2860 2156 6886b964f5242f6f99d65f0bbd6ff660N.exe winver.exe PID 2860 wrote to memory of 1240 2860 winver.exe Explorer.EXE PID 2860 wrote to memory of 1108 2860 winver.exe taskhost.exe PID 2860 wrote to memory of 1168 2860 winver.exe Dwm.exe PID 2860 wrote to memory of 1240 2860 winver.exe Explorer.EXE PID 2860 wrote to memory of 1664 2860 winver.exe DllHost.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\6886b964f5242f6f99d65f0bbd6ff660N.exe"C:\Users\Admin\AppData\Local\Temp\6886b964f5242f6f99d65f0bbd6ff660N.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1108-26-0x0000000000120000-0x0000000000126000-memory.dmpFilesize
24KB
-
memory/1108-11-0x0000000000120000-0x0000000000126000-memory.dmpFilesize
24KB
-
memory/1168-14-0x0000000000130000-0x0000000000136000-memory.dmpFilesize
24KB
-
memory/1168-27-0x0000000000130000-0x0000000000136000-memory.dmpFilesize
24KB
-
memory/1240-3-0x0000000002E10000-0x0000000002E16000-memory.dmpFilesize
24KB
-
memory/1240-17-0x0000000002E60000-0x0000000002E66000-memory.dmpFilesize
24KB
-
memory/1240-1-0x0000000002E10000-0x0000000002E16000-memory.dmpFilesize
24KB
-
memory/1240-6-0x0000000002E10000-0x0000000002E16000-memory.dmpFilesize
24KB
-
memory/1240-25-0x0000000002E60000-0x0000000002E66000-memory.dmpFilesize
24KB
-
memory/1664-20-0x0000000001C90000-0x0000000001C96000-memory.dmpFilesize
24KB
-
memory/1664-24-0x0000000001C90000-0x0000000001C96000-memory.dmpFilesize
24KB
-
memory/2156-8-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2860-23-0x0000000000290000-0x0000000000296000-memory.dmpFilesize
24KB
-
memory/2860-4-0x00000000001A0000-0x00000000001A6000-memory.dmpFilesize
24KB
-
memory/2860-29-0x0000000000290000-0x0000000000296000-memory.dmpFilesize
24KB