Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-08-2024 20:49
Static task
static1
Behavioral task
behavioral1
Sample
1edfcd0d4fc5c270ea507d2d28913ad0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
1edfcd0d4fc5c270ea507d2d28913ad0N.exe
Resource
win10v2004-20240802-en
General
-
Target
1edfcd0d4fc5c270ea507d2d28913ad0N.exe
-
Size
225KB
-
MD5
1edfcd0d4fc5c270ea507d2d28913ad0
-
SHA1
d42fb7913e8aa52488fa1887f6695fe09b7a97eb
-
SHA256
0cbd571f2cbb15bcc922a2fef69b5de0fcce818df2835deeebffcd0481ce4832
-
SHA512
ca04804f6b908507490dbfad137b10b406da6ebb72b8b9f2b1cb02fe7b1565056db6e937735962877a24e98b715d98a8f81095713e14e1bfbd4c7bed19a21145
-
SSDEEP
6144:KA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:KATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\62A19CEF = "C:\\Users\\Admin\\AppData\\Roaming\\62A19CEF\\bin.exe" winver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1edfcd0d4fc5c270ea507d2d28913ad0N.exewinver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1edfcd0d4fc5c270ea507d2d28913ad0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
winver.exepid process 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe 2716 winver.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
winver.exeExplorer.EXEpid process 2716 winver.exe 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
1edfcd0d4fc5c270ea507d2d28913ad0N.exewinver.exedescription pid process target process PID 2260 wrote to memory of 2716 2260 1edfcd0d4fc5c270ea507d2d28913ad0N.exe winver.exe PID 2260 wrote to memory of 2716 2260 1edfcd0d4fc5c270ea507d2d28913ad0N.exe winver.exe PID 2260 wrote to memory of 2716 2260 1edfcd0d4fc5c270ea507d2d28913ad0N.exe winver.exe PID 2260 wrote to memory of 2716 2260 1edfcd0d4fc5c270ea507d2d28913ad0N.exe winver.exe PID 2260 wrote to memory of 2716 2260 1edfcd0d4fc5c270ea507d2d28913ad0N.exe winver.exe PID 2716 wrote to memory of 1200 2716 winver.exe Explorer.EXE PID 2716 wrote to memory of 1100 2716 winver.exe taskhost.exe PID 2716 wrote to memory of 1164 2716 winver.exe Dwm.exe PID 2716 wrote to memory of 1200 2716 winver.exe Explorer.EXE PID 2716 wrote to memory of 1316 2716 winver.exe DllHost.exe PID 2716 wrote to memory of 2260 2716 winver.exe 1edfcd0d4fc5c270ea507d2d28913ad0N.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1100
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\1edfcd0d4fc5c270ea507d2d28913ad0N.exe"C:\Users\Admin\AppData\Local\Temp\1edfcd0d4fc5c270ea507d2d28913ad0N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2716
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1316