Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 01:04
Behavioral task
behavioral1
Sample
a7b93c40d2e5bb1b02de6e5cf18b0950N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
a7b93c40d2e5bb1b02de6e5cf18b0950N.exe
Resource
win10v2004-20240802-en
General
-
Target
a7b93c40d2e5bb1b02de6e5cf18b0950N.exe
-
Size
29KB
-
MD5
a7b93c40d2e5bb1b02de6e5cf18b0950
-
SHA1
6638b2b683533ecc639023f6eabf3b1b363f4c1c
-
SHA256
9f5a8715a1ca6d82dac4457b0e6d2bbfe5f1f1133a97564d19e9ea189fa880d2
-
SHA512
6daeb12e3d8ed13d4c458bf341810ddc395105bfde071acd18ed6ab304f14fae628a60807f60a373fb5b571c8cf5fd4410f8e60ec1cd985ba05eebd4abe66c10
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/w:AEwVs+0jNDY1qi/qI
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4224 services.exe -
resource yara_rule behavioral2/memory/3604-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/files/0x00080000000234c9-4.dat upx behavioral2/memory/4224-6-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3604-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4224-15-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4224-16-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4224-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4224-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4224-28-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4224-33-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4224-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4224-40-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4224-45-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4224-50-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3604-51-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4224-52-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3604-56-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4224-57-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x00110000000233f9-67.dat upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" a7b93c40d2e5bb1b02de6e5cf18b0950N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe a7b93c40d2e5bb1b02de6e5cf18b0950N.exe File opened for modification C:\Windows\java.exe a7b93c40d2e5bb1b02de6e5cf18b0950N.exe File created C:\Windows\java.exe a7b93c40d2e5bb1b02de6e5cf18b0950N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7b93c40d2e5bb1b02de6e5cf18b0950N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3604 wrote to memory of 4224 3604 a7b93c40d2e5bb1b02de6e5cf18b0950N.exe 84 PID 3604 wrote to memory of 4224 3604 a7b93c40d2e5bb1b02de6e5cf18b0950N.exe 84 PID 3604 wrote to memory of 4224 3604 a7b93c40d2e5bb1b02de6e5cf18b0950N.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7b93c40d2e5bb1b02de6e5cf18b0950N.exe"C:\Users\Admin\AppData\Local\Temp\a7b93c40d2e5bb1b02de6e5cf18b0950N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4224
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5b6b96163a97fcbbc3a954a85157fb01f
SHA18f5008541c64d4449a9b64f455f12acbd182a178
SHA2561d7f777cc2f9d71a35665573b549ac36140906dd9ebb1201a41848f32aad44e5
SHA51299a8ad7d6a347dd4e4c3c635f98f0aed13a5162f8fa6c939006a60d8b7cb5b3288777568bab9dcefe1afc4983c0e843a6a46578859d2be42ff9a40b5b28a7fdb
-
Filesize
352B
MD520087d2c06240be8cdb4cf1c738c4554
SHA1f63f7aae04912d0963d54d782d926b7545d16983
SHA256ecdd7dbeec32483587c7397fc8acc7b57496c080a8a3749eb0797422a9c74cfa
SHA512ed20a0a103f4e906c9953710f4a7f9c77c57ad71cca5a89c990fb609141e3cffeb0cc4a575dae4cce980b2b1b2ec32c62c0e7363839525c2859caa9bb49289af
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2