Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 02:21
Static task
static1
Behavioral task
behavioral1
Sample
98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe
Resource
win7-20240729-en
General
-
Target
98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe
-
Size
88KB
-
MD5
852c0d00b8742475efd18efd62d20a78
-
SHA1
843fb8261f66bc4217e7d2e07afbe4e069e1e7fd
-
SHA256
98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6
-
SHA512
b4a62e31061e3b94387f8a217027c2d2bc65efe19ad272889638056ed55619a7a350c7af9f559d6c265f4408b2e46623d1e89ed4c4a19ada00b8684a32dca6f4
-
SSDEEP
1536:t5piVnDXkTbhCtaB6GVA/bVQPxfgiqfoOonoKg+yOH5y/yEm:6D0ctAVA/bmxIMnoKjyR/Nm
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 6032 winlogonr.exe -
Loads dropped DLL 5 IoCs
pid Process 11916 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 11916 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 11916 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 11916 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 11916 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe -
resource yara_rule behavioral1/memory/11916-540767-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/11916-540768-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/11916-540764-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/11916-540762-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/11916-540769-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/11916-540770-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/11916-540812-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogonr\\winlogonr.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2604 set thread context of 11916 2604 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogonr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2604 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 11916 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 6032 winlogonr.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2604 wrote to memory of 11916 2604 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 30 PID 2604 wrote to memory of 11916 2604 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 30 PID 2604 wrote to memory of 11916 2604 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 30 PID 2604 wrote to memory of 11916 2604 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 30 PID 2604 wrote to memory of 11916 2604 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 30 PID 2604 wrote to memory of 11916 2604 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 30 PID 2604 wrote to memory of 11916 2604 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 30 PID 2604 wrote to memory of 11916 2604 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 30 PID 11916 wrote to memory of 6072 11916 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 31 PID 11916 wrote to memory of 6072 11916 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 31 PID 11916 wrote to memory of 6072 11916 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 31 PID 11916 wrote to memory of 6072 11916 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 31 PID 6072 wrote to memory of 6000 6072 cmd.exe 33 PID 6072 wrote to memory of 6000 6072 cmd.exe 33 PID 6072 wrote to memory of 6000 6072 cmd.exe 33 PID 6072 wrote to memory of 6000 6072 cmd.exe 33 PID 11916 wrote to memory of 6032 11916 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 34 PID 11916 wrote to memory of 6032 11916 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 34 PID 11916 wrote to memory of 6032 11916 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 34 PID 11916 wrote to memory of 6032 11916 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe"C:\Users\Admin\AppData\Local\Temp\98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe"C:\Users\Admin\AppData\Local\Temp\98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:11916 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\IJGOA.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6072 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:6000
-
-
-
C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6032
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149B
MD56831b89d0b8dc3e07588d733e75c122b
SHA18c70088c3224bbaf535ed19ec0f6bd5231c543be
SHA2569fe102f2c6dff35f03787b85f725d12347cf491c897730a7f2e818f65177ffc2
SHA512699fb44a25032ee4ad0ace1f941c826b333baddb65049c22e80b272909e85f4c8a00fef73fe2d97fa8998a0b6969b13461237bfc1e8f9bf711849d17d0cda6da
-
Filesize
88KB
MD5ad18ce4cfe019db54f72e6085d0b7ca4
SHA1cc981487c2ab91cd1443747304f7ae0ab43ed2ad
SHA2569bbb0ddb5648c92aacdec5b6bae23062a79436a6468cbe21e67492c3cef1d4bc
SHA512354362f8af400bde3e79b9cdb83662528089754cca36f905196ab4660ae0e6d0a813be9b89925827998fe4b3640cd1f45119e6c897a6e2b6d1a87edd138a4378