Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 01:45
Static task
static1
Behavioral task
behavioral1
Sample
f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe
Resource
win10v2004-20240802-en
General
-
Target
f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe
-
Size
402KB
-
MD5
4248d006d6c66077043c42a11c30dfb8
-
SHA1
38d0733d4f5c573512b34001c7a17ced8f25ae07
-
SHA256
f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3
-
SHA512
e0dc4e067a0a05831f1d5165abbde9f23cf69433d5f5c68b956ef5d47c87f8d7c93b5d52e66495bd93c39adc49e1320e6450c58a169478dcffac76ace5a66d30
-
SSDEEP
12288:ntKe6Zv23YeVOzpVwzDGAx8LKU2j2HS3UVHTn:76Zv2lQMRxa1c60UR
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4321B2D0-8B9A-11D5-EBA1-F78EEEEEE983} f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4321B2D0-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msdor32.exe" f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4321B2D0-8B9A-11D5-EBA1-F78EEEEEE983} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4321B2D0-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msdor32.exe" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2684 svchost.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" svchost.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\vcl32.exe f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe File opened for modification C:\Windows\SysWOW64\vcl32.exe f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe File created C:\Windows\SysWOW64\msdor32.exe f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe File opened for modification C:\Windows\SysWOW64\msdor32.exe f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe File created C:\Windows\SysWOW64\concp32.exe f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe File opened for modification C:\Windows\SysWOW64\concp32.exe f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\svchost.exe f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe File created C:\Windows\svchost.exe f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Modifies registry class 12 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4321B2D0-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 17df404b476763a705250eee0fd816eb f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4321B2D0-8B9A-11D5-EBA1-F78EEEEEE983}\u2 = a54a6b702f92fdf2acd57599e2ae1608015dff41aa020117fc9bd8e2dcf4340f3fa61eb55d6f28597df90602703809d4 svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4321B2D0-8B9A-11D5-EBA1-F78EEEEEE983} svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4321B2D0-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4321B2D0-8B9A-11D5-EBA1-F78EEEEEE983}\u0 = 658663d26f8bad325217a06063847056939f558d910ed252e05dd0113550f7fc0f4da82ff73a0681ba604c2d4f23269f svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4321B2D0-8B9A-11D5-EBA1-F78EEEEEE983}\u1 = 551d2e0658054ba756fd3798fea5ffca42865cb762a31639dabd7f2cca44e226 svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4321B2D0-8B9A-11D5-EBA1-F78EEEEEE983} f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4321B2D0-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4321B2D0-8B9A-11D5-EBA1-F78EEEEEE983}\sm = ebb5525fa3bcf9422c8ff945977d6af9 f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4321B2D0-8B9A-11D5-EBA1-F78EEEEEE983}\v = "165" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" svchost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2764 f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2684 2764 f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe 31 PID 2764 wrote to memory of 2684 2764 f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe 31 PID 2764 wrote to memory of 2684 2764 f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe 31 PID 2764 wrote to memory of 2684 2764 f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe"C:\Users\Admin\AppData\Local\Temp\f572fd51f971f4037599fae0ab87eee9acb3897a3e0fedd8bf4a166b8719e1e3.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\svchost.exeC:\Windows\svchost.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2684
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
404KB
MD5685bb2dcb8319f5cb4a7499e3be6b748
SHA18bd2027a525e75273864139b9dcfb2dc273f4fbc
SHA25684a93b23d6fff40438d4570b7dacbf0cac1b65ce62c4de3c74625b9e9849aa40
SHA51240d9bc31ef04c5e082319a1babca9839d1f122dfda3835502b1bca0cbb0b7f86764178bdbabc903c43bbb304f6c2fdd2a937e7f25a4ed138248caf78f3cdf2e7
-
Filesize
406KB
MD5a11745d7f2ed50b33d6ae8e0e3ecf5da
SHA1bd8585798f14fd7b42a668de7ef233867ce637e2
SHA25662df08520e3ea7d0c558403b96f400526d32338a5cc29841ae2188063d7462f1
SHA512e7e515b1a607469bcb41d6239032f2163f178bc44e4f295e1b7f2b17fe085d1d0cfb0b57f3e47cfef54b40964f9c447a42f6d4450c3e2ae591205bc467da288a