Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-08-2024 01:50
Static task
static1
Behavioral task
behavioral1
Sample
80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352.exe
Resource
win10v2004-20240802-en
General
-
Target
80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352.exe
-
Size
861KB
-
MD5
c20ef4961ce6eb9dd5654242ec1b418c
-
SHA1
076cb25979115c1a5baa95807f993c90f629c524
-
SHA256
80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352
-
SHA512
e518cd58bcab49e1359d6e60fe71a12c40d6c3f3e8dcfbf974848edb901231b8bd70271fc64f55c0cd8777e975ffee08b17607e4c4bd9744a4193b2a5739a9a2
-
SSDEEP
24576:ZQqPByJzhAfD7MjzlR7m8Sdu3ar3kxggWq:ZQqZ0z0MjHy8mxrgl
Malware Config
Signatures
-
Manipulates Digital Signatures 1 TTPs 3 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
certutil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" certutil.exe -
Executes dropped EXE 2 IoCs
Processes:
msdtc.commsdtc.compid process 376 msdtc.com 3624 msdtc.com -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352.exe -
Processes:
cmd.execertutil.exepid process 3292 cmd.exe 4476 certutil.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352.execmd.execertutil.exemsdtc.commsdtc.comPING.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdtc.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdtc.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
msdtc.commsdtc.compid process 376 msdtc.com 376 msdtc.com 376 msdtc.com 3624 msdtc.com 3624 msdtc.com 3624 msdtc.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
msdtc.commsdtc.compid process 376 msdtc.com 376 msdtc.com 376 msdtc.com 3624 msdtc.com 3624 msdtc.com 3624 msdtc.com -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352.execmd.exemsdtc.comdescription pid process target process PID 1304 wrote to memory of 3292 1304 80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352.exe cmd.exe PID 1304 wrote to memory of 3292 1304 80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352.exe cmd.exe PID 1304 wrote to memory of 3292 1304 80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352.exe cmd.exe PID 3292 wrote to memory of 4476 3292 cmd.exe certutil.exe PID 3292 wrote to memory of 4476 3292 cmd.exe certutil.exe PID 3292 wrote to memory of 4476 3292 cmd.exe certutil.exe PID 3292 wrote to memory of 376 3292 cmd.exe msdtc.com PID 3292 wrote to memory of 376 3292 cmd.exe msdtc.com PID 3292 wrote to memory of 376 3292 cmd.exe msdtc.com PID 376 wrote to memory of 3624 376 msdtc.com msdtc.com PID 376 wrote to memory of 3624 376 msdtc.com msdtc.com PID 376 wrote to memory of 3624 376 msdtc.com msdtc.com PID 3292 wrote to memory of 4572 3292 cmd.exe PING.EXE PID 3292 wrote to memory of 4572 3292 cmd.exe PING.EXE PID 3292 wrote to memory of 4572 3292 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352.exe"C:\Users\Admin\AppData\Local\Temp\80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\cmd.execmd /c <nul set /p ="M" > msdtc.com & type KsTpnq.com >> msdtc.com & del KsTpnq.com & certutil -decode yTxIv.com U & msdtc.com U & ping 127.0.0.1 -n 32⤵
- Deobfuscate/Decode Files or Information
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\certutil.execertutil -decode yTxIv.com U3⤵
- Manipulates Digital Signatures
- Deobfuscate/Decode Files or Information
- System Location Discovery: System Language Discovery
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.commsdtc.com U3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.com U4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3624 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4572
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Deobfuscate/Decode Files or Information
1Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5d86ab2aeeac2553c7857ece4492eda5d
SHA10828db56b556f3f0486a9de9d2c728216035e8e6
SHA2568861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436
SHA5128c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe
-
Filesize
241KB
MD5c8c4a872e297f7e536786c49d66650c5
SHA1d65329038099ba179db5331f8eaec618fb679119
SHA256f8b193619fa0fbf5e8a7fa84017dab39b15acaeb3b7888b532e3d26d017d22ee
SHA51237d26d18f19e7660b28c3b5cd58ae2a35ab40c2ffc947193c945a764a84edc61198141dab620d03f41c1585ca44c8ba940881db337a6e92ca2e454d50acb0c87
-
Filesize
200KB
MD55ea7b5afb1bf7b27844bfb150307adb1
SHA147fcfe229e937dc5d2700203c1f9d42767082903
SHA256ff8814e26980703a8d1d917a8a6991e80849037fe6fb531b05b7d984fa0db4e2
SHA5121ca5022ee0e978711fd05b9c1655d554b16672962338f86c003aaebd86def8b07170b798c570823db6fb7b63eb17684a4beed302f5029ae01f66e1f828bd3388
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
332KB
MD50793e3a615b4e02d45e1f857fcb9b2fe
SHA1c54946443428a2e90cbe07afd9a96b6dd176f563
SHA256789eaa8e03690dd53708b429b7cb51f619f80c3f56d4616ca8971d512a63024b
SHA512f889c6bf2c6878a980d1432c2353290bbf907292b777e73e0f540414f7de3e2945d05dad58b695214fc04163e729f6830cf6a1cfc6f4e9b5394c1fcc004e0b89