Analysis
-
max time kernel
113s -
max time network
87s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-08-2024 00:04
Behavioral task
behavioral1
Sample
517b34e92b366517070721a2f42a2700N.exe
Resource
win7-20240708-en
General
-
Target
517b34e92b366517070721a2f42a2700N.exe
-
Size
90KB
-
MD5
517b34e92b366517070721a2f42a2700
-
SHA1
2137c82f55c5e635a9f99a6aa0e08aa0ce555cc6
-
SHA256
4106c11042f4a4b560615f6d6cec2ca802707f89474154a15bdaf4cef04fc29b
-
SHA512
13c9fa3eda256dee3118655893ef735b66fca7ffae27e7e59c60478fe8debb7e39e0efc1c43bf2b0789832b6eef827954bd90ac5acc8ec29c98bba569ee46bf0
-
SSDEEP
1536:RRkDnTSWukyxHE+JBWC7KnI4KTwTPGsvvkigo6RVvUVIag0jIQGJyFeGds4sqUC1:KnT6kyxdL9L0bGducvUVIz0UQGJyFeGP
Malware Config
Signatures
-
Detects Andromeda payload. 5 IoCs
resource yara_rule behavioral1/memory/2072-8-0x0000000000400000-0x0000000000409000-memory.dmp family_andromeda behavioral1/memory/2072-6-0x0000000000400000-0x0000000000409000-memory.dmp family_andromeda behavioral1/memory/2072-15-0x0000000000400000-0x0000000000409000-memory.dmp family_andromeda behavioral1/memory/2976-20-0x0000000000020000-0x0000000000025000-memory.dmp family_andromeda behavioral1/memory/2976-24-0x0000000000020000-0x0000000000025000-memory.dmp family_andromeda -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\21600 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\cczqpaq.bat" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2072 517b34e92b366517070721a2f42a2700N.exe -
Loads dropped DLL 1 IoCs
pid Process 2148 517b34e92b366517070721a2f42a2700N.exe -
resource yara_rule behavioral1/memory/2148-0-0x0000000000400000-0x000000000059D000-memory.dmp upx behavioral1/files/0x00080000000173b8-9.dat upx behavioral1/memory/2148-13-0x0000000000400000-0x000000000059D000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2148 set thread context of 2072 2148 517b34e92b366517070721a2f42a2700N.exe 30 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\cczqpaq.bat svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 517b34e92b366517070721a2f42a2700N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 517b34e92b366517070721a2f42a2700N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe 2148 517b34e92b366517070721a2f42a2700N.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2072 517b34e92b366517070721a2f42a2700N.exe 2072 517b34e92b366517070721a2f42a2700N.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2072 2148 517b34e92b366517070721a2f42a2700N.exe 30 PID 2148 wrote to memory of 2072 2148 517b34e92b366517070721a2f42a2700N.exe 30 PID 2148 wrote to memory of 2072 2148 517b34e92b366517070721a2f42a2700N.exe 30 PID 2148 wrote to memory of 2072 2148 517b34e92b366517070721a2f42a2700N.exe 30 PID 2148 wrote to memory of 2072 2148 517b34e92b366517070721a2f42a2700N.exe 30 PID 2148 wrote to memory of 2072 2148 517b34e92b366517070721a2f42a2700N.exe 30 PID 2148 wrote to memory of 2072 2148 517b34e92b366517070721a2f42a2700N.exe 30 PID 2072 wrote to memory of 2976 2072 517b34e92b366517070721a2f42a2700N.exe 31 PID 2072 wrote to memory of 2976 2072 517b34e92b366517070721a2f42a2700N.exe 31 PID 2072 wrote to memory of 2976 2072 517b34e92b366517070721a2f42a2700N.exe 31 PID 2072 wrote to memory of 2976 2072 517b34e92b366517070721a2f42a2700N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\517b34e92b366517070721a2f42a2700N.exe"C:\Users\Admin\AppData\Local\Temp\517b34e92b366517070721a2f42a2700N.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\517b34e92b366517070721a2f42a2700N.exe"C:\Users\Admin\AppData\Local\Temp\517b34e92b366517070721a2f42a2700N.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2976
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5517b34e92b366517070721a2f42a2700
SHA12137c82f55c5e635a9f99a6aa0e08aa0ce555cc6
SHA2564106c11042f4a4b560615f6d6cec2ca802707f89474154a15bdaf4cef04fc29b
SHA51213c9fa3eda256dee3118655893ef735b66fca7ffae27e7e59c60478fe8debb7e39e0efc1c43bf2b0789832b6eef827954bd90ac5acc8ec29c98bba569ee46bf0