Analysis
-
max time kernel
110s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
05/08/2024, 09:55
Static task
static1
Behavioral task
behavioral1
Sample
797065569cecd6926a4c04d9430c6cb0N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
797065569cecd6926a4c04d9430c6cb0N.exe
Resource
win10v2004-20240802-en
General
-
Target
797065569cecd6926a4c04d9430c6cb0N.exe
-
Size
81KB
-
MD5
797065569cecd6926a4c04d9430c6cb0
-
SHA1
d914fce11cf870d604c3f7bf5620f1edbfd9cc1f
-
SHA256
a73878cb18feee7556abdeb08b5e2ab0d15d3d6f04ff5a1f40fd110a05d1b6df
-
SHA512
0b9a1452f4dce43d3a82451bbbb4b4f746b84d27bf5fe7affb04f3fa6ab07203bd957b80f8bf43992fabeb8874c1cc80350a3a395e7a18205ce3e04dda49e25a
-
SSDEEP
1536:BCzyZU9m8/aTZkdfiG50KY6C8zqrmu127m4LO++/+1m6KadhYxU33HX0L:+zcBZGKGY61Xu12/LrCimBaH8UH30L
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 797065569cecd6926a4c04d9430c6cb0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 797065569cecd6926a4c04d9430c6cb0N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fedfgejh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fedfgejh.exe -
Executes dropped EXE 2 IoCs
pid Process 1500 Fedfgejh.exe 2168 Flnndp32.exe -
Loads dropped DLL 8 IoCs
pid Process 2688 797065569cecd6926a4c04d9430c6cb0N.exe 2688 797065569cecd6926a4c04d9430c6cb0N.exe 1500 Fedfgejh.exe 1500 Fedfgejh.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Flnndp32.exe Fedfgejh.exe File created C:\Windows\SysWOW64\Onndkg32.dll Fedfgejh.exe File created C:\Windows\SysWOW64\Fedfgejh.exe 797065569cecd6926a4c04d9430c6cb0N.exe File opened for modification C:\Windows\SysWOW64\Fedfgejh.exe 797065569cecd6926a4c04d9430c6cb0N.exe File created C:\Windows\SysWOW64\Kmpnop32.dll 797065569cecd6926a4c04d9430c6cb0N.exe File created C:\Windows\SysWOW64\Flnndp32.exe Fedfgejh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2800 2168 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 797065569cecd6926a4c04d9430c6cb0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fedfgejh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnndp32.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpnop32.dll" 797065569cecd6926a4c04d9430c6cb0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 797065569cecd6926a4c04d9430c6cb0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll" Fedfgejh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 797065569cecd6926a4c04d9430c6cb0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 797065569cecd6926a4c04d9430c6cb0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 797065569cecd6926a4c04d9430c6cb0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 797065569cecd6926a4c04d9430c6cb0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fedfgejh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fedfgejh.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2688 wrote to memory of 1500 2688 797065569cecd6926a4c04d9430c6cb0N.exe 30 PID 2688 wrote to memory of 1500 2688 797065569cecd6926a4c04d9430c6cb0N.exe 30 PID 2688 wrote to memory of 1500 2688 797065569cecd6926a4c04d9430c6cb0N.exe 30 PID 2688 wrote to memory of 1500 2688 797065569cecd6926a4c04d9430c6cb0N.exe 30 PID 1500 wrote to memory of 2168 1500 Fedfgejh.exe 31 PID 1500 wrote to memory of 2168 1500 Fedfgejh.exe 31 PID 1500 wrote to memory of 2168 1500 Fedfgejh.exe 31 PID 1500 wrote to memory of 2168 1500 Fedfgejh.exe 31 PID 2168 wrote to memory of 2800 2168 Flnndp32.exe 32 PID 2168 wrote to memory of 2800 2168 Flnndp32.exe 32 PID 2168 wrote to memory of 2800 2168 Flnndp32.exe 32 PID 2168 wrote to memory of 2800 2168 Flnndp32.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\797065569cecd6926a4c04d9430c6cb0N.exe"C:\Users\Admin\AppData\Local\Temp\797065569cecd6926a4c04d9430c6cb0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Fedfgejh.exeC:\Windows\system32\Fedfgejh.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Flnndp32.exeC:\Windows\system32\Flnndp32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1404⤵
- Loads dropped DLL
- Program crash
PID:2800
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81KB
MD523dc4119aab1075e082891ed0808b785
SHA10b4d41951533d56fbc8197eb1bfa798b990a6918
SHA2567e5436cdd143f0a96367eb00b08003a1a8c69fd07fb10a20b68150e13f0b809e
SHA51214a86f5cf338ea3ddb5d835d28cde2baed833c299ba5297050089e0520dd516c220d1a07a0dca3446cf28efbe55176ba8fc5a86decde5a6457f42295c078d18a
-
Filesize
81KB
MD5efd15d9ade8dfa4b40167c4338521193
SHA11f94a638a2d92078f99115811986ffc34f2b6d91
SHA256587ae6258ba6b8438ab7fcfde34f36ac7b3c8293504b3816bf8948c5a0441e8d
SHA512d974ea2846eb2c3d08afc8e63d99e1728c2fec8889a5c65525e7f684dd510b5aea4de2563473f44fd9914a2e4e9cf4c4ef745e9620659b9d3d6c9a4d2b524f49