Analysis
-
max time kernel
46s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
05/08/2024, 13:00
Static task
static1
Behavioral task
behavioral1
Sample
PI24000032.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
PI24000032.exe
Resource
win10v2004-20240802-en
General
-
Target
PI24000032.exe
-
Size
1.2MB
-
MD5
4ea21bce2e927e066bd726b8d38a2adc
-
SHA1
a4d7a0820e72d4cdd3e0d882593c69983ad6e043
-
SHA256
9c2a88e6231afc32955d617333a563b8961175a3ea9f01a97140aa6707ef7272
-
SHA512
4c3016090b9f917c929b4c08f62cbb923eec32ae06f6ba42a4323f98c8dfedbf38e675c1787d752ad0f03cde72e01c47d15000200a08dc34d7729403bac5b1ac
-
SSDEEP
24576:5qDEvCTbMWu7rQYlBQcBiT6rprG8av0NzEdqf3LyFPQ7leIJ:5TvC/MTQYxsWR7av0NwQf3L6Y7le
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1720 set thread context of 2756 1720 PI24000032.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PI24000032.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1720 PI24000032.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1720 PI24000032.exe 1720 PI24000032.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1720 PI24000032.exe 1720 PI24000032.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1720 wrote to memory of 2756 1720 PI24000032.exe 29 PID 1720 wrote to memory of 2756 1720 PI24000032.exe 29 PID 1720 wrote to memory of 2756 1720 PI24000032.exe 29 PID 1720 wrote to memory of 2756 1720 PI24000032.exe 29 PID 1720 wrote to memory of 2756 1720 PI24000032.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI24000032.exe"C:\Users\Admin\AppData\Local\Temp\PI24000032.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\PI24000032.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD53e87a8823c6f4231f6cfc1fdc08dae11
SHA19773a563be5d99db6d9ebee374b70aaea13691b8
SHA25644096e8052b7c31a31f65ef79bcdcdc4a446f969b38e56f2cc2505993ab133cf
SHA512bf5a4d88a5dfffb6f5c4bca70c6b01133281824edf745f9d4ceedf7cdba7e8a0387ff852a2e03e4bda35f8164d0be789b7a47734932e3e03d9251239d8ea07c6