Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17-08-2024 05:37
Static task
static1
Behavioral task
behavioral1
Sample
d3ddb6e155646b8530ad34270ab71abf2b5be8cc767c745397d512f34263cb2b.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
d3ddb6e155646b8530ad34270ab71abf2b5be8cc767c745397d512f34263cb2b.exe
Resource
win10v2004-20240802-en
General
-
Target
d3ddb6e155646b8530ad34270ab71abf2b5be8cc767c745397d512f34263cb2b.exe
-
Size
237KB
-
MD5
5727c42aa8896592756532e7c78b65bb
-
SHA1
d27546565855ff10f60ed6251d9855381ded5fa4
-
SHA256
d3ddb6e155646b8530ad34270ab71abf2b5be8cc767c745397d512f34263cb2b
-
SHA512
377769476dd05f9ca38a144e7f69f5b4e6c0ba2946d25b8ad850b96e49c12df82e4871d6331663273feaf2111169238ae93840640a10165d145944b0f8ffc019
-
SSDEEP
6144:NA2P27yTAnKGw0hjFhSR/W1nyAJ9v0pMtRCpYQ:NATuTAnKGwUAWVycQqgj
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\A742BC25 = "C:\\Users\\Admin\\AppData\\Roaming\\A742BC25\\bin.exe" winver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d3ddb6e155646b8530ad34270ab71abf2b5be8cc767c745397d512f34263cb2b.exewinver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3ddb6e155646b8530ad34270ab71abf2b5be8cc767c745397d512f34263cb2b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Suspicious behavior: EnumeratesProcesses 57 IoCs
Processes:
winver.exepid process 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe 2856 winver.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
winver.exeExplorer.EXEpid process 2856 winver.exe 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
d3ddb6e155646b8530ad34270ab71abf2b5be8cc767c745397d512f34263cb2b.exewinver.exedescription pid process target process PID 2284 wrote to memory of 2856 2284 d3ddb6e155646b8530ad34270ab71abf2b5be8cc767c745397d512f34263cb2b.exe winver.exe PID 2284 wrote to memory of 2856 2284 d3ddb6e155646b8530ad34270ab71abf2b5be8cc767c745397d512f34263cb2b.exe winver.exe PID 2284 wrote to memory of 2856 2284 d3ddb6e155646b8530ad34270ab71abf2b5be8cc767c745397d512f34263cb2b.exe winver.exe PID 2284 wrote to memory of 2856 2284 d3ddb6e155646b8530ad34270ab71abf2b5be8cc767c745397d512f34263cb2b.exe winver.exe PID 2284 wrote to memory of 2856 2284 d3ddb6e155646b8530ad34270ab71abf2b5be8cc767c745397d512f34263cb2b.exe winver.exe PID 2856 wrote to memory of 1256 2856 winver.exe Explorer.EXE PID 2856 wrote to memory of 1124 2856 winver.exe taskhost.exe PID 2856 wrote to memory of 1180 2856 winver.exe Dwm.exe PID 2856 wrote to memory of 1256 2856 winver.exe Explorer.EXE PID 2856 wrote to memory of 1740 2856 winver.exe DllHost.exe PID 2856 wrote to memory of 2284 2856 winver.exe d3ddb6e155646b8530ad34270ab71abf2b5be8cc767c745397d512f34263cb2b.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1124
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1180
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\d3ddb6e155646b8530ad34270ab71abf2b5be8cc767c745397d512f34263cb2b.exe"C:\Users\Admin\AppData\Local\Temp\d3ddb6e155646b8530ad34270ab71abf2b5be8cc767c745397d512f34263cb2b.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2856
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1740