Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-08-2024 10:06
Static task
static1
Behavioral task
behavioral1
Sample
d5a18378b163bafb3b75f166cefe93c0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
d5a18378b163bafb3b75f166cefe93c0N.exe
Resource
win10v2004-20240802-en
General
-
Target
d5a18378b163bafb3b75f166cefe93c0N.exe
-
Size
237KB
-
MD5
d5a18378b163bafb3b75f166cefe93c0
-
SHA1
0585ecccf12239bcd4c5da540d3de7b31013cff7
-
SHA256
4479b4bf55669694f5dc5b16749758a3a360aca3071c60d4f0331010c9123747
-
SHA512
0feda768a4194762fc8c01f69d63b824824fa60bb56561f4769272fd88ee7eb8a83e75ca78e2121f13e82426cb38ebd1c4b3851f3409615466179009d83e5878
-
SSDEEP
6144:lA2P27yTAnKGw0hjFhSR/W1nyAJ9v0pMtRCpYQ:lATuTAnKGwUAWVycQqgj
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\2281CFAC = "C:\\Users\\Admin\\AppData\\Roaming\\2281CFAC\\bin.exe" winver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d5a18378b163bafb3b75f166cefe93c0N.exewinver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5a18378b163bafb3b75f166cefe93c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
winver.exepid process 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe 1768 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 1768 winver.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
d5a18378b163bafb3b75f166cefe93c0N.exewinver.exedescription pid process target process PID 2516 wrote to memory of 1768 2516 d5a18378b163bafb3b75f166cefe93c0N.exe winver.exe PID 2516 wrote to memory of 1768 2516 d5a18378b163bafb3b75f166cefe93c0N.exe winver.exe PID 2516 wrote to memory of 1768 2516 d5a18378b163bafb3b75f166cefe93c0N.exe winver.exe PID 2516 wrote to memory of 1768 2516 d5a18378b163bafb3b75f166cefe93c0N.exe winver.exe PID 2516 wrote to memory of 1768 2516 d5a18378b163bafb3b75f166cefe93c0N.exe winver.exe PID 1768 wrote to memory of 1208 1768 winver.exe Explorer.EXE PID 1768 wrote to memory of 1116 1768 winver.exe taskhost.exe PID 1768 wrote to memory of 1172 1768 winver.exe Dwm.exe PID 1768 wrote to memory of 1208 1768 winver.exe Explorer.EXE PID 1768 wrote to memory of 848 1768 winver.exe DllHost.exe PID 1768 wrote to memory of 2516 1768 winver.exe d5a18378b163bafb3b75f166cefe93c0N.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\d5a18378b163bafb3b75f166cefe93c0N.exe"C:\Users\Admin\AppData\Local\Temp\d5a18378b163bafb3b75f166cefe93c0N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1768
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:848