Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-08-2024 18:19
Static task
static1
Behavioral task
behavioral1
Sample
0b225a0f98135633b1bd1306ac32cfbf31ecc12c4f79566a4acf97d63dee92e1.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0b225a0f98135633b1bd1306ac32cfbf31ecc12c4f79566a4acf97d63dee92e1.exe
Resource
win10v2004-20240802-en
General
-
Target
0b225a0f98135633b1bd1306ac32cfbf31ecc12c4f79566a4acf97d63dee92e1.exe
-
Size
237KB
-
MD5
2e6d971f1de85e21117f9568145b53f7
-
SHA1
51d10b6d70f5a5d22dcf7286138125191788be86
-
SHA256
0b225a0f98135633b1bd1306ac32cfbf31ecc12c4f79566a4acf97d63dee92e1
-
SHA512
79399121bfdec9c3433febc8824e5a2183b6d6e36a4234d548f28feb33fc12b84bec56add87f6fb7b1ffec4d7b72016790c41b28ac18447a0bd6d98c6a596d7a
-
SSDEEP
6144:iA2P27yTAnKGw0hjFhSR/W1nyAJ9v0pMtRCpYQ:iATuTAnKGwUAWVycQqgj
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\0829A980 = "C:\\Users\\Admin\\AppData\\Roaming\\0829A980\\bin.exe" winver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0b225a0f98135633b1bd1306ac32cfbf31ecc12c4f79566a4acf97d63dee92e1.exewinver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0b225a0f98135633b1bd1306ac32cfbf31ecc12c4f79566a4acf97d63dee92e1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Suspicious behavior: EnumeratesProcesses 61 IoCs
Processes:
winver.exepid process 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe 2272 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2272 winver.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
0b225a0f98135633b1bd1306ac32cfbf31ecc12c4f79566a4acf97d63dee92e1.exewinver.exedescription pid process target process PID 2088 wrote to memory of 2272 2088 0b225a0f98135633b1bd1306ac32cfbf31ecc12c4f79566a4acf97d63dee92e1.exe winver.exe PID 2088 wrote to memory of 2272 2088 0b225a0f98135633b1bd1306ac32cfbf31ecc12c4f79566a4acf97d63dee92e1.exe winver.exe PID 2088 wrote to memory of 2272 2088 0b225a0f98135633b1bd1306ac32cfbf31ecc12c4f79566a4acf97d63dee92e1.exe winver.exe PID 2088 wrote to memory of 2272 2088 0b225a0f98135633b1bd1306ac32cfbf31ecc12c4f79566a4acf97d63dee92e1.exe winver.exe PID 2088 wrote to memory of 2272 2088 0b225a0f98135633b1bd1306ac32cfbf31ecc12c4f79566a4acf97d63dee92e1.exe winver.exe PID 2272 wrote to memory of 1220 2272 winver.exe Explorer.EXE PID 2272 wrote to memory of 1108 2272 winver.exe taskhost.exe PID 2272 wrote to memory of 1156 2272 winver.exe Dwm.exe PID 2272 wrote to memory of 1220 2272 winver.exe Explorer.EXE PID 2272 wrote to memory of 1668 2272 winver.exe DllHost.exe PID 2272 wrote to memory of 2088 2272 winver.exe 0b225a0f98135633b1bd1306ac32cfbf31ecc12c4f79566a4acf97d63dee92e1.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1156
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\0b225a0f98135633b1bd1306ac32cfbf31ecc12c4f79566a4acf97d63dee92e1.exe"C:\Users\Admin\AppData\Local\Temp\0b225a0f98135633b1bd1306ac32cfbf31ecc12c4f79566a4acf97d63dee92e1.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2272
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1668