Analysis
-
max time kernel
38s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06-08-2024 22:16
Static task
static1
Behavioral task
behavioral1
Sample
5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe
Resource
win7-20240704-en
General
-
Target
5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe
-
Size
281KB
-
MD5
e2e03488307f8b2d60de71cde2cdc8ac
-
SHA1
5a4b5583bb23bdd6c0920d76d0be61f883f10c7f
-
SHA256
5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3
-
SHA512
4a3d65d5d946e616b8b65af0e8d797af1b6c3c95af56d38cafb3c13d3d06062d43c13da9d7f8ace5f8ef728515b79646782124b1975a39de124e70023df959ff
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfv:boSeGUA5YZazpXUmZhZ6SK
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
a1punf5t2of.exepid process 2684 a1punf5t2of.exe -
Loads dropped DLL 2 IoCs
Processes:
5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exea1punf5t2of.exepid process 1668 5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe 2684 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" 5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a1punf5t2of.exe5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exea1punf5t2of.exedescription pid process target process PID 1668 wrote to memory of 2684 1668 5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe a1punf5t2of.exe PID 1668 wrote to memory of 2684 1668 5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe a1punf5t2of.exe PID 1668 wrote to memory of 2684 1668 5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe a1punf5t2of.exe PID 1668 wrote to memory of 2684 1668 5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe a1punf5t2of.exe PID 1668 wrote to memory of 2684 1668 5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe a1punf5t2of.exe PID 1668 wrote to memory of 2684 1668 5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe a1punf5t2of.exe PID 1668 wrote to memory of 2684 1668 5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe a1punf5t2of.exe PID 2684 wrote to memory of 2972 2684 a1punf5t2of.exe a1punf5t2of.exe PID 2684 wrote to memory of 2972 2684 a1punf5t2of.exe a1punf5t2of.exe PID 2684 wrote to memory of 2972 2684 a1punf5t2of.exe a1punf5t2of.exe PID 2684 wrote to memory of 2972 2684 a1punf5t2of.exe a1punf5t2of.exe PID 2684 wrote to memory of 2972 2684 a1punf5t2of.exe a1punf5t2of.exe PID 2684 wrote to memory of 2972 2684 a1punf5t2of.exe a1punf5t2of.exe PID 2684 wrote to memory of 2972 2684 a1punf5t2of.exe a1punf5t2of.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe"C:\Users\Admin\AppData\Local\Temp\5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵PID:2972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD592b2c0fe8d5f5146c29520a34e51d2a1
SHA10130a602ddfd766d4f910720f232772e9fa6ec4b
SHA25666f3be3ec13c7cc9465e8568254140bbbfd33e1cf8b3b6bbd94fe0d4ba1d5c68
SHA512c485219175328f2aba8e529a7de56a8e23038f520316888a06c3a8d4787b796c4b22dd6ab531c1dc5989a9ab244c58187b23d71b1b8f624a5eb211f8886526a4