Analysis
-
max time kernel
118s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-08-2024 03:08
Static task
static1
Behavioral task
behavioral1
Sample
ed3a2efa153c6562ee08d2b8359958f0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ed3a2efa153c6562ee08d2b8359958f0N.exe
Resource
win10v2004-20240802-en
General
-
Target
ed3a2efa153c6562ee08d2b8359958f0N.exe
-
Size
106KB
-
MD5
ed3a2efa153c6562ee08d2b8359958f0
-
SHA1
1a14de6325188c2c5554aca9ba2b90e862f6da25
-
SHA256
1eb611bc34e8ec8274888b77f7eff636cd388143d747e1a9d9f93ed9257745a1
-
SHA512
733e3c7f3bbc72dc73f9f6338e6cb23634a0974f95bea703fa4a3a9e98d0c27e978483fd0e3f05947692d1956aa707a91cec7ae4cf84aa1c04870395185c2c3e
-
SSDEEP
768:w+6p+OMlgGXCWhfDzU7f0JDgi9I57+sByZ+XsfXpwtG9ipelU9JA:w+mFM2QXtZgi9Iksu+XM57ipeq9JA
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\F3FBA43A = "C:\\Users\\Admin\\AppData\\Roaming\\F3FBA43A\\bin.exe" winver.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4524 2492 WerFault.exe winver.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
winver.exeed3a2efa153c6562ee08d2b8359958f0N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed3a2efa153c6562ee08d2b8359958f0N.exe -
Modifies registry class 1 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
winver.exepid process 2492 winver.exe 2492 winver.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
winver.exeExplorer.EXEpid process 2492 winver.exe 3520 Explorer.EXE 3520 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3520 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ed3a2efa153c6562ee08d2b8359958f0N.exewinver.exedescription pid process target process PID 4428 wrote to memory of 2492 4428 ed3a2efa153c6562ee08d2b8359958f0N.exe winver.exe PID 4428 wrote to memory of 2492 4428 ed3a2efa153c6562ee08d2b8359958f0N.exe winver.exe PID 4428 wrote to memory of 2492 4428 ed3a2efa153c6562ee08d2b8359958f0N.exe winver.exe PID 4428 wrote to memory of 2492 4428 ed3a2efa153c6562ee08d2b8359958f0N.exe winver.exe PID 2492 wrote to memory of 3520 2492 winver.exe Explorer.EXE PID 2492 wrote to memory of 2576 2492 winver.exe sihost.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2576
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\ed3a2efa153c6562ee08d2b8359958f0N.exe"C:\Users\Admin\AppData\Local\Temp\ed3a2efa153c6562ee08d2b8359958f0N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 3524⤵
- Program crash
PID:4524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2492 -ip 24921⤵PID:4352