Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 03:58
Behavioral task
behavioral1
Sample
d56e04bf312c24ce7df62c8336f4b0d1ce4795b61d3a2b8173acb59a0685900f.exe
Resource
win7-20240708-en
General
-
Target
d56e04bf312c24ce7df62c8336f4b0d1ce4795b61d3a2b8173acb59a0685900f.exe
-
Size
76KB
-
MD5
06a4e5cd0879581e50cda66de874ce99
-
SHA1
76135ad5da8658ae1478616c2b90d5006e0bab9e
-
SHA256
d56e04bf312c24ce7df62c8336f4b0d1ce4795b61d3a2b8173acb59a0685900f
-
SHA512
f23571fafec66caa394ce84fca84b26b0719ffb72367bd1971d95d7031fc878b0f07f8aae2ab8d1a4f46f6502305dc4d7aa16c9ab660bc69482114dd7afd04a1
-
SSDEEP
1536:WRWjzOe1tu4lx8Wf677WrvafPoHDmzhTk+rmFJN:WweGo4X8VGxHDmzV0Fb
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1928 Sysceamfvfeq.exe -
Loads dropped DLL 2 IoCs
pid Process 2080 d56e04bf312c24ce7df62c8336f4b0d1ce4795b61d3a2b8173acb59a0685900f.exe 2080 d56e04bf312c24ce7df62c8336f4b0d1ce4795b61d3a2b8173acb59a0685900f.exe -
resource yara_rule behavioral1/memory/2080-0-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/files/0x000800000001660d-17.dat upx behavioral1/memory/2080-12-0x0000000003A80000-0x0000000003AD9000-memory.dmp upx behavioral1/memory/1928-21-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/2080-22-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/1928-23-0x0000000000400000-0x0000000000459000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d56e04bf312c24ce7df62c8336f4b0d1ce4795b61d3a2b8173acb59a0685900f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe 1928 Sysceamfvfeq.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2080 wrote to memory of 1928 2080 d56e04bf312c24ce7df62c8336f4b0d1ce4795b61d3a2b8173acb59a0685900f.exe 32 PID 2080 wrote to memory of 1928 2080 d56e04bf312c24ce7df62c8336f4b0d1ce4795b61d3a2b8173acb59a0685900f.exe 32 PID 2080 wrote to memory of 1928 2080 d56e04bf312c24ce7df62c8336f4b0d1ce4795b61d3a2b8173acb59a0685900f.exe 32 PID 2080 wrote to memory of 1928 2080 d56e04bf312c24ce7df62c8336f4b0d1ce4795b61d3a2b8173acb59a0685900f.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\d56e04bf312c24ce7df62c8336f4b0d1ce4795b61d3a2b8173acb59a0685900f.exe"C:\Users\Admin\AppData\Local\Temp\d56e04bf312c24ce7df62c8336f4b0d1ce4795b61d3a2b8173acb59a0685900f.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\Sysceamfvfeq.exe"C:\Users\Admin\AppData\Local\Temp\Sysceamfvfeq.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD50f2be204e6bbb3804adcdf96a2718031
SHA1ea952ffdea64691771ede24582a59458374d5594
SHA2567ded7144638a1a02041e8f71136664953f888409ee3ba35bdfbca470e0867ed3
SHA512aa225559ff9737f85c2e9363920f1ef4502cd7353035e776e1ada303ffbb23e83503c1adca5847c9a9493606747e072c404f155e245cd9bb0ec2d9bf1c107ed9
-
Filesize
102B
MD5fcaa1a4b2e59f4a00ca24628dfba9dee
SHA1838ad79062965b6355908a0f76548ba906137a19
SHA256f6c37fa220440126a4f0eb72748248a7ea7c9ff92506238b46ffa9f0f622e23b
SHA512c887719b177114f93ce731316783621a57cd6ce5ffd1d04ee8c01c1cf271852a55eb4a3678792a0ba1f5d794d69ba9ff9572ef93dd375a74ad71967b80779f80