Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 03:10
Static task
static1
Behavioral task
behavioral1
Sample
21dbc8bf435da3844fe87d4d81e4ba50N.exe
Resource
win7-20240704-en
General
-
Target
21dbc8bf435da3844fe87d4d81e4ba50N.exe
-
Size
284KB
-
MD5
21dbc8bf435da3844fe87d4d81e4ba50
-
SHA1
fbd9b966f1b50c99521127c477a8c3cde96fc14f
-
SHA256
c0c67ac11ce4010268dea559f2b08b21d8ef6f49f48d2786cc1fdfb556397546
-
SHA512
9d491b7e346d9c4b910e74e4b774af1c691c2dc844804546a2f886072c5dac2ca243136d56bb80d542d8f4768c5f924b5994fe57be90ab298358ba1c56d9527b
-
SSDEEP
3072:mSQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lC:mPA6wxmuJspr2l
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\58629 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mskttvaz.scr" svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 184156 skyrpe.exe 108044 skyrpe.exe 107968 skyrpe.exe -
Loads dropped DLL 5 IoCs
pid Process 183788 21dbc8bf435da3844fe87d4d81e4ba50N.exe 183788 21dbc8bf435da3844fe87d4d81e4ba50N.exe 183788 21dbc8bf435da3844fe87d4d81e4ba50N.exe 183788 21dbc8bf435da3844fe87d4d81e4ba50N.exe 183788 21dbc8bf435da3844fe87d4d81e4ba50N.exe -
resource yara_rule behavioral1/memory/183788-53497-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/183788-53488-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/183788-53487-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/183788-53486-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/183788-53483-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/183788-53481-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/183788-53683-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/107968-106966-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/183788-106973-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Roaming\\skype\\skyrpe.exe" reg.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum skyrpe.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 skyrpe.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2820 set thread context of 183788 2820 21dbc8bf435da3844fe87d4d81e4ba50N.exe 31 PID 184156 set thread context of 107968 184156 skyrpe.exe 36 PID 184156 set thread context of 108044 184156 skyrpe.exe 37 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\mskttvaz.scr svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21dbc8bf435da3844fe87d4d81e4ba50N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21dbc8bf435da3844fe87d4d81e4ba50N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skyrpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skyrpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skyrpe.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 108044 skyrpe.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 108044 skyrpe.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 107968 skyrpe.exe Token: SeDebugPrivilege 107968 skyrpe.exe Token: SeDebugPrivilege 107968 skyrpe.exe Token: SeDebugPrivilege 107968 skyrpe.exe Token: SeDebugPrivilege 107968 skyrpe.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2820 21dbc8bf435da3844fe87d4d81e4ba50N.exe 183788 21dbc8bf435da3844fe87d4d81e4ba50N.exe 184156 skyrpe.exe 107968 skyrpe.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2820 wrote to memory of 183788 2820 21dbc8bf435da3844fe87d4d81e4ba50N.exe 31 PID 2820 wrote to memory of 183788 2820 21dbc8bf435da3844fe87d4d81e4ba50N.exe 31 PID 2820 wrote to memory of 183788 2820 21dbc8bf435da3844fe87d4d81e4ba50N.exe 31 PID 2820 wrote to memory of 183788 2820 21dbc8bf435da3844fe87d4d81e4ba50N.exe 31 PID 2820 wrote to memory of 183788 2820 21dbc8bf435da3844fe87d4d81e4ba50N.exe 31 PID 2820 wrote to memory of 183788 2820 21dbc8bf435da3844fe87d4d81e4ba50N.exe 31 PID 2820 wrote to memory of 183788 2820 21dbc8bf435da3844fe87d4d81e4ba50N.exe 31 PID 2820 wrote to memory of 183788 2820 21dbc8bf435da3844fe87d4d81e4ba50N.exe 31 PID 183788 wrote to memory of 184076 183788 21dbc8bf435da3844fe87d4d81e4ba50N.exe 32 PID 183788 wrote to memory of 184076 183788 21dbc8bf435da3844fe87d4d81e4ba50N.exe 32 PID 183788 wrote to memory of 184076 183788 21dbc8bf435da3844fe87d4d81e4ba50N.exe 32 PID 183788 wrote to memory of 184076 183788 21dbc8bf435da3844fe87d4d81e4ba50N.exe 32 PID 184076 wrote to memory of 184132 184076 cmd.exe 34 PID 184076 wrote to memory of 184132 184076 cmd.exe 34 PID 184076 wrote to memory of 184132 184076 cmd.exe 34 PID 184076 wrote to memory of 184132 184076 cmd.exe 34 PID 183788 wrote to memory of 184156 183788 21dbc8bf435da3844fe87d4d81e4ba50N.exe 35 PID 183788 wrote to memory of 184156 183788 21dbc8bf435da3844fe87d4d81e4ba50N.exe 35 PID 183788 wrote to memory of 184156 183788 21dbc8bf435da3844fe87d4d81e4ba50N.exe 35 PID 183788 wrote to memory of 184156 183788 21dbc8bf435da3844fe87d4d81e4ba50N.exe 35 PID 184156 wrote to memory of 107968 184156 skyrpe.exe 36 PID 184156 wrote to memory of 107968 184156 skyrpe.exe 36 PID 184156 wrote to memory of 107968 184156 skyrpe.exe 36 PID 184156 wrote to memory of 107968 184156 skyrpe.exe 36 PID 184156 wrote to memory of 107968 184156 skyrpe.exe 36 PID 184156 wrote to memory of 107968 184156 skyrpe.exe 36 PID 184156 wrote to memory of 107968 184156 skyrpe.exe 36 PID 184156 wrote to memory of 107968 184156 skyrpe.exe 36 PID 184156 wrote to memory of 108044 184156 skyrpe.exe 37 PID 184156 wrote to memory of 108044 184156 skyrpe.exe 37 PID 184156 wrote to memory of 108044 184156 skyrpe.exe 37 PID 184156 wrote to memory of 108044 184156 skyrpe.exe 37 PID 184156 wrote to memory of 108044 184156 skyrpe.exe 37 PID 184156 wrote to memory of 108044 184156 skyrpe.exe 37 PID 184156 wrote to memory of 108044 184156 skyrpe.exe 37 PID 108044 wrote to memory of 108088 108044 skyrpe.exe 38 PID 108044 wrote to memory of 108088 108044 skyrpe.exe 38 PID 108044 wrote to memory of 108088 108044 skyrpe.exe 38 PID 108044 wrote to memory of 108088 108044 skyrpe.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\21dbc8bf435da3844fe87d4d81e4ba50N.exe"C:\Users\Admin\AppData\Local\Temp\21dbc8bf435da3844fe87d4d81e4ba50N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\21dbc8bf435da3844fe87d4d81e4ba50N.exe"C:\Users\Admin\AppData\Local\Temp\21dbc8bf435da3844fe87d4d81e4ba50N.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:183788 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\OJNKK.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:184076 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Skype" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:184132
-
-
-
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:184156 -
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:107968
-
-
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:108044 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe5⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:108088
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139B
MD50654f004b2e314bad7f75867e91da37d
SHA14232c22e7340b12108d86e3cb35ed288a3dbc7f1
SHA256ead325a060300a9606a3f0f14694be39a3e4006a60c6c3eb0bea5d6f98192249
SHA512dda135cdfca90a742d42b4c7a5e7f5df6580ec428302a8f0c311f5b92eb08dda75774e0c7497110faffbe2dfa02b30d2dfe35ec2848a275f53be8d930c7aa553
-
Filesize
284KB
MD5129864173b98df5adf01bd885cc3dcb2
SHA1d27a493c971d6cc525d11c17f3d8824ee091c9fc
SHA256993342de2d772174f1f5008ac4a9b789283a53d96e829d3e8d9f0608e9bfe78c
SHA512bad5993df8c49e7829ec80df96be5ed79f6fddcd815e43187ba2f965640c26139e53c53f7bf9c6f50f2662759bbd69a41c6f40426e4b13a76da486bcad1db28f