Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 21:36
Static task
static1
Behavioral task
behavioral1
Sample
0a672ee4cfe227f1fd98a232b89c2c10N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
0a672ee4cfe227f1fd98a232b89c2c10N.exe
Resource
win10v2004-20240802-en
General
-
Target
0a672ee4cfe227f1fd98a232b89c2c10N.exe
-
Size
237KB
-
MD5
0a672ee4cfe227f1fd98a232b89c2c10
-
SHA1
5b4bc96dc9820f92b96cbe644ab804cc8bfc9ac2
-
SHA256
43ce1cb391cc7ab81e08985b05bf8a1f79262e6dc3f8176676c663da0c171907
-
SHA512
8f25c1813af51b953cc047d5b572625a330c683faff602eb4f632787a7770f29fe5ee4b82a4bd8df570f6619795b526c1cf797f51d7b685aa9c36d92d8bc7954
-
SSDEEP
6144:HA2P27yTAnKGw0hjFhSR/W1nyAJ9v0pMtRCpYQ:HATuTAnKGwUAWVycQqgj
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\43FF6CC3 = "C:\\Users\\Admin\\AppData\\Roaming\\43FF6CC3\\bin.exe" winver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0a672ee4cfe227f1fd98a232b89c2c10N.exewinver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0a672ee4cfe227f1fd98a232b89c2c10N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Suspicious behavior: EnumeratesProcesses 57 IoCs
Processes:
winver.exepid process 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe 2800 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2800 winver.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
0a672ee4cfe227f1fd98a232b89c2c10N.exewinver.exedescription pid process target process PID 624 wrote to memory of 2800 624 0a672ee4cfe227f1fd98a232b89c2c10N.exe winver.exe PID 624 wrote to memory of 2800 624 0a672ee4cfe227f1fd98a232b89c2c10N.exe winver.exe PID 624 wrote to memory of 2800 624 0a672ee4cfe227f1fd98a232b89c2c10N.exe winver.exe PID 624 wrote to memory of 2800 624 0a672ee4cfe227f1fd98a232b89c2c10N.exe winver.exe PID 624 wrote to memory of 2800 624 0a672ee4cfe227f1fd98a232b89c2c10N.exe winver.exe PID 2800 wrote to memory of 1252 2800 winver.exe Explorer.EXE PID 2800 wrote to memory of 1116 2800 winver.exe taskhost.exe PID 2800 wrote to memory of 1204 2800 winver.exe Dwm.exe PID 2800 wrote to memory of 1252 2800 winver.exe Explorer.EXE PID 2800 wrote to memory of 932 2800 winver.exe DllHost.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1204
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\0a672ee4cfe227f1fd98a232b89c2c10N.exe"C:\Users\Admin\AppData\Local\Temp\0a672ee4cfe227f1fd98a232b89c2c10N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2800
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:932