Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 00:19
Static task
static1
Behavioral task
behavioral1
Sample
8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe
Resource
win10v2004-20240709-en
General
-
Target
8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe
-
Size
432KB
-
MD5
3b4dea238c3bd7ec6fcca12e7d846361
-
SHA1
5072d208a9f5e17934decc5e787ff613ee2cf870
-
SHA256
8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627
-
SHA512
6e1a41f2610d1eb149b8c362ef98410e62382c6f4a43fefdf2e5b38d2741d311b3a943395f914cc23903d3ba1e97d8729b4e0ed7ec1a65636b6bd72a84d52acb
-
SSDEEP
6144:4jlYKRF/LReWAsUy0+sHOeDhX4RV+cw3GSo59nnS8gjHmrijMLH:4jauDReWpsHOTRV+T3vobnl/LH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2808 pbppl.exe -
Loads dropped DLL 2 IoCs
pid Process 2712 8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe 2712 8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\pbppl.exe" pbppl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbppl.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2808 2712 8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe 30 PID 2712 wrote to memory of 2808 2712 8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe 30 PID 2712 wrote to memory of 2808 2712 8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe 30 PID 2712 wrote to memory of 2808 2712 8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe"C:\Users\Admin\AppData\Local\Temp\8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\ProgramData\pbppl.exe"C:\ProgramData\pbppl.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
432KB
MD5431a7ff19c2c369f7afe6109e479da89
SHA1aa68daf6fa2f497a7c7609ebecb749ef13284626
SHA2560a0b00ed8396682578f56bc7b0973c75d5b1ed335bf3c14d63572a24d3bf9e10
SHA512785f1fdeda4b7e5978226cd9f65e37f2ecf1957436a8b973cb99e53b30448d6dd913721a5137a28743ee0dcc5991b367815a2cdd0d09ecf76bffc076f42740fb
-
Filesize
136KB
MD5cb4c442a26bb46671c638c794bf535af
SHA18a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf
SHA256f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25
SHA512074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3
-
Filesize
295KB
MD56f2e3a92e4681c9bf6ff45d740797189
SHA12c2b0ce00410fa5fe9c2adf5749f119feefdd82e
SHA2566d7541c1a578f8b18577f22a951a56fd60a2f44d28a41ed44b80f853cb7bb6cf
SHA512a9245dfe95a8a4397cdd9d19c527b80f6e22ec809f2c05ba3dff4ec90e334a97868d5dfa0b0c8a1595c33140cedcadca1e5ed8bd051086cd3d22d39d16e14c96