Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2024 23:50
Behavioral task
behavioral1
Sample
LisectAVT_2403002A_201.exe
Resource
win7-20240705-en
General
-
Target
LisectAVT_2403002A_201.exe
-
Size
9.2MB
-
MD5
e07a8dd6ca20053ba2a90cf52be73e43
-
SHA1
1a42c89ca50559c1a0668a8a8d31f0ce49620c05
-
SHA256
d9af261e2d79a7e6a13a86cda68e50f267129695ae2abb5ba92df720ac32a0b7
-
SHA512
97a8bad9c962a40ea2c9f5dd770962e84e4d9cad0ca95a87e7e202c84ab4773559b5d5ad025594b4a11f68b87ce2898837d26ab700d4ed62e92eea5a535f3b57
-
SSDEEP
196608:h6UDQWmkC75MSrTfm/E2nTOqyf39XHRRcV:/O7t/TeVnT3G3VHRS
Malware Config
Extracted
amadey
4.18
8a2f5d
http://fastestfreecdn.com
-
install_dir
881c8a9dda
-
install_file
Dctooux.exe
-
strings_key
ebf317c42a152243f9fc9b81833d775c
-
url_paths
/7vAficZogD/index.php
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
resource yara_rule behavioral2/memory/4292-8-0x00000000007D0000-0x0000000001105000-memory.dmp family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4292 set thread context of 4468 4292 LisectAVT_2403002A_201.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LisectAVT_2403002A_201.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4292 LisectAVT_2403002A_201.exe 4292 LisectAVT_2403002A_201.exe 4468 cmd.exe 4468 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4292 LisectAVT_2403002A_201.exe 4468 cmd.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4292 wrote to memory of 4468 4292 LisectAVT_2403002A_201.exe 89 PID 4292 wrote to memory of 4468 4292 LisectAVT_2403002A_201.exe 89 PID 4292 wrote to memory of 4468 4292 LisectAVT_2403002A_201.exe 89 PID 4292 wrote to memory of 4468 4292 LisectAVT_2403002A_201.exe 89 PID 4468 wrote to memory of 4412 4468 cmd.exe 99 PID 4468 wrote to memory of 4412 4468 cmd.exe 99 PID 4468 wrote to memory of 4412 4468 cmd.exe 99 PID 4468 wrote to memory of 4412 4468 cmd.exe 99 PID 4468 wrote to memory of 4412 4468 cmd.exe 99 PID 4468 wrote to memory of 4412 4468 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_201.exe"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_201.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:4412
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5f5ad85658ab375a59bec2eb426177759
SHA1b249091d4ae116f9ff5e063091ad66dc8672f858
SHA2569e93ff58f122a3142ea29ffeccc974ac89937d38b66e3eec8f4bbcde006d3194
SHA5124163f2b45a74223ccca91a8d9d1dd849d779e78406926dd7364f7878eae9589731881b5bf4e49ae5dc914fd661d8ad6a53a8580a824e24b5022f191a493f031b