Analysis
-
max time kernel
92s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20-08-2024 14:12
Static task
static1
Behavioral task
behavioral1
Sample
ExeFile (236).exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ExeFile (236).exe
Resource
win10v2004-20240802-en
General
-
Target
ExeFile (236).exe
-
Size
1.2MB
-
MD5
c361fe1dc05f5d90c1ce35e0d49b6338
-
SHA1
267aac6007a22ca4c17eabbfe4c71f3194b181d6
-
SHA256
e105e4778abd8cc1d35e0d6b1f0ad17994570ead16764f012270be94de740aaf
-
SHA512
a1f7a311e03af563d43a2f2d3820d6ac690c99f0edd0ae935df2018205b6e970d14017dd043fd22bc24e956ea483a21116fa1e5b5be4152d3d266a51b9c9d55e
-
SSDEEP
24576:qQ+JBjAObi4M2rIDTU4fmj6J/d5nTWzim9W7akhWFhepaLSbK:qQGBfbiyrIDovj6l+59W7aApat
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
svchost.comsvchost.compid process 2164 svchost.com 2776 svchost.com -
Loads dropped DLL 3 IoCs
Processes:
cmd.exesvchost.comsvchost.compid process 1964 cmd.exe 2164 svchost.com 2776 svchost.com -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ExeFile (236).exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ExeFile (236).exe -
Processes:
cmd.execertutil.exepid process 1964 cmd.exe 2148 certutil.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ExeFile (236).execmd.execertutil.exesvchost.comsvchost.comPING.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ExeFile (236).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
svchost.comsvchost.compid process 2164 svchost.com 2164 svchost.com 2164 svchost.com 2776 svchost.com 2776 svchost.com 2776 svchost.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
svchost.comsvchost.compid process 2164 svchost.com 2164 svchost.com 2164 svchost.com 2776 svchost.com 2776 svchost.com 2776 svchost.com -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ExeFile (236).execmd.exesvchost.comsvchost.comdescription pid process target process PID 2072 wrote to memory of 1964 2072 ExeFile (236).exe cmd.exe PID 2072 wrote to memory of 1964 2072 ExeFile (236).exe cmd.exe PID 2072 wrote to memory of 1964 2072 ExeFile (236).exe cmd.exe PID 2072 wrote to memory of 1964 2072 ExeFile (236).exe cmd.exe PID 1964 wrote to memory of 2148 1964 cmd.exe certutil.exe PID 1964 wrote to memory of 2148 1964 cmd.exe certutil.exe PID 1964 wrote to memory of 2148 1964 cmd.exe certutil.exe PID 1964 wrote to memory of 2148 1964 cmd.exe certutil.exe PID 1964 wrote to memory of 2164 1964 cmd.exe svchost.com PID 1964 wrote to memory of 2164 1964 cmd.exe svchost.com PID 1964 wrote to memory of 2164 1964 cmd.exe svchost.com PID 1964 wrote to memory of 2164 1964 cmd.exe svchost.com PID 2164 wrote to memory of 2776 2164 svchost.com svchost.com PID 2164 wrote to memory of 2776 2164 svchost.com svchost.com PID 2164 wrote to memory of 2776 2164 svchost.com svchost.com PID 2164 wrote to memory of 2776 2164 svchost.com svchost.com PID 1964 wrote to memory of 2544 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 2544 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 2544 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 2544 1964 cmd.exe PING.EXE PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com PID 2776 wrote to memory of 2564 2776 svchost.com svchost.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\ExeFile (236).exe"C:\Users\Admin\AppData\Local\Temp\ExeFile (236).exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\cmd.execmd /c <nul set /p ="M" > svchost.com & type QEZEl.com >> svchost.com & del QEZEl.com & certutil -decode LucqD.com C & svchost.com C & ping 127.0.0.1 -n 32⤵
- Loads dropped DLL
- Deobfuscate/Decode Files or Information
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\certutil.execertutil -decode LucqD.com C3⤵
- Deobfuscate/Decode Files or Information
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.comsvchost.com C3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.com C4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.com5⤵PID:2564
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2544
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
451KB
MD5bcf0e243c2e927150dba715b423bad97
SHA13f9c1197703f46251d9f46d719e6dfb173b0cc9f
SHA256f4a6970fd8ae434109374ae82915ab1047b266ee38420b269b4c7e6ef600fe10
SHA512ef4b43b2fb8c6631b6f39247d5157f7f1c1bb3630502d9d74ea6d711fbd64126f9fe656238f3405f265a90829ca211f061f1d24fe14fb1e4adad498a160b4b69
-
Filesize
620KB
MD5773a6c4f5b9eb23e52553f3d6af76e27
SHA17bd5a11cb1d9d48ed62fdc892c1b161221fc4fdb
SHA256400c564fc93ba19029944a3ba5ecbac8ee2a5d3fe95a9b4320286143fdf39af7
SHA5128c65bb539e8caa8e9dde2bfe641ce08e4fb6f14d7ce9bccaa92429a5cf8eb625bc474cecf6092fc282a4dc3aeb55c07ebb27f084e0ca39e4ba2b4e04077d5563
-
Filesize
200KB
MD5d825cdf4d339b91407067bf4d85f973d
SHA1c21453bdd299451727393a1aa48daf0697070973
SHA2562813f8d17e3d6cb808e351532f6d38beeb4e5d708ec28c37953bcf2229b840f4
SHA51282775b46146439a49a332c96cdcf3efe7e34366e13dc7423ec6fd793b6089ec5c89edcb5bcb1fd8265e8c9d099059a9f2d1a4f0e40862957db2600967aaf7487
-
Filesize
921KB
MD5df6fbc5de331f39be67e2b343ff02083
SHA12791147f5aba7d5242d531f0444695b9fecb3c42
SHA256ccefe3c453a32c04dd03e835879aceae0b96e7d25359dc05a8cfa7a880c21936
SHA51235e1b55975104e9ddf24fc2842848f63c954f6e69bf8a4df370caaad43ff01f259fbd4e96e45bcbd2287192551afa3df5f9ad8726a3331d80a9c53fa558bf8a9
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317