Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    14/08/2024, 01:45

General

  • Target

    f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe

  • Size

    402KB

  • MD5

    4248d006d6c66077043c42a11c30dfb8

  • SHA1

    38d0733d4f5c573512b34001c7a17ced8f25ae07

  • SHA256

    f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3

  • SHA512

    e0dc4e067a0a05831f1d5165abbde9f23cf69433d5f5c68b956ef5d47c87f8d7c93b5d52e66495bd93c39adc49e1320e6450c58a169478dcffac76ace5a66d30

  • SSDEEP

    12288:ntKe6Zv23YeVOzpVwzDGAx8LKU2j2HS3UVHTn:76Zv2lQMRxa1c60UR

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe
    "C:\Users\Admin\AppData\Local\Temp\f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\concp32.exe

    Filesize

    404KB

    MD5

    685bb2dcb8319f5cb4a7499e3be6b748

    SHA1

    8bd2027a525e75273864139b9dcfb2dc273f4fbc

    SHA256

    84a93b23d6fff40438d4570b7dacbf0cac1b65ce62c4de3c74625b9e9849aa40

    SHA512

    40d9bc31ef04c5e082319a1babca9839d1f122dfda3835502b1bca0cbb0b7f86764178bdbabc903c43bbb304f6c2fdd2a937e7f25a4ed138248caf78f3cdf2e7

  • C:\Windows\svchost.exe

    Filesize

    406KB

    MD5

    a11745d7f2ed50b33d6ae8e0e3ecf5da

    SHA1

    bd8585798f14fd7b42a668de7ef233867ce637e2

    SHA256

    62df08520e3ea7d0c558403b96f400526d32338a5cc29841ae2188063d7462f1

    SHA512

    e7e515b1a607469bcb41d6239032f2163f178bc44e4f295e1b7f2b17fe085d1d0cfb0b57f3e47cfef54b40964f9c447a42f6d4450c3e2ae591205bc467da288a

  • memory/2684-15-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/2764-6-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/2764-14-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB