Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17-08-2024 20:28
Static task
static1
Behavioral task
behavioral1
Sample
2ea70b430ce38c5fc816e20488189564b3b5c28bb74a5db05ca7c358ce7f449e.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2ea70b430ce38c5fc816e20488189564b3b5c28bb74a5db05ca7c358ce7f449e.exe
Resource
win10v2004-20240802-en
General
-
Target
2ea70b430ce38c5fc816e20488189564b3b5c28bb74a5db05ca7c358ce7f449e.exe
-
Size
225KB
-
MD5
7f302c1a538f4e12907ca697f5bc6e9b
-
SHA1
0403daf79297bef98ef3e166d5eeed29dd31ae93
-
SHA256
2ea70b430ce38c5fc816e20488189564b3b5c28bb74a5db05ca7c358ce7f449e
-
SHA512
b5def8f8454e59f047e584b6eddea97ad2a37b5a7f1b43023055b3b2c68650a014fd987234bf156ffdf6905322d3fd3722789382d24490ce6c003eb43106e3e6
-
SSDEEP
6144:DA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:DATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\720EDBFE = "C:\\Users\\Admin\\AppData\\Roaming\\720EDBFE\\bin.exe" winver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2ea70b430ce38c5fc816e20488189564b3b5c28bb74a5db05ca7c358ce7f449e.exewinver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ea70b430ce38c5fc816e20488189564b3b5c28bb74a5db05ca7c358ce7f449e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Suspicious behavior: EnumeratesProcesses 61 IoCs
Processes:
winver.exepid process 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe 2404 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2404 winver.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2ea70b430ce38c5fc816e20488189564b3b5c28bb74a5db05ca7c358ce7f449e.exewinver.exedescription pid process target process PID 1984 wrote to memory of 2404 1984 2ea70b430ce38c5fc816e20488189564b3b5c28bb74a5db05ca7c358ce7f449e.exe winver.exe PID 1984 wrote to memory of 2404 1984 2ea70b430ce38c5fc816e20488189564b3b5c28bb74a5db05ca7c358ce7f449e.exe winver.exe PID 1984 wrote to memory of 2404 1984 2ea70b430ce38c5fc816e20488189564b3b5c28bb74a5db05ca7c358ce7f449e.exe winver.exe PID 1984 wrote to memory of 2404 1984 2ea70b430ce38c5fc816e20488189564b3b5c28bb74a5db05ca7c358ce7f449e.exe winver.exe PID 1984 wrote to memory of 2404 1984 2ea70b430ce38c5fc816e20488189564b3b5c28bb74a5db05ca7c358ce7f449e.exe winver.exe PID 2404 wrote to memory of 1228 2404 winver.exe Explorer.EXE PID 2404 wrote to memory of 1116 2404 winver.exe taskhost.exe PID 2404 wrote to memory of 1172 2404 winver.exe Dwm.exe PID 2404 wrote to memory of 1228 2404 winver.exe Explorer.EXE PID 2404 wrote to memory of 1368 2404 winver.exe DllHost.exe PID 2404 wrote to memory of 1984 2404 winver.exe 2ea70b430ce38c5fc816e20488189564b3b5c28bb74a5db05ca7c358ce7f449e.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\2ea70b430ce38c5fc816e20488189564b3b5c28bb74a5db05ca7c358ce7f449e.exe"C:\Users\Admin\AppData\Local\Temp\2ea70b430ce38c5fc816e20488189564b3b5c28bb74a5db05ca7c358ce7f449e.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2404
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1368