Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24-08-2024 20:57
Static task
static1
Behavioral task
behavioral1
Sample
30a3faef098a1745f1b16e3677ba12a8aabb4802bafcb4131c05575194f7cece.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
30a3faef098a1745f1b16e3677ba12a8aabb4802bafcb4131c05575194f7cece.exe
Resource
win10v2004-20240802-en
General
-
Target
30a3faef098a1745f1b16e3677ba12a8aabb4802bafcb4131c05575194f7cece.exe
-
Size
237KB
-
MD5
20668c2a65a424d097a424618273bcd0
-
SHA1
b1ba1596a3a4dc0dd4757287e1df79e1a8a448bf
-
SHA256
30a3faef098a1745f1b16e3677ba12a8aabb4802bafcb4131c05575194f7cece
-
SHA512
181b523a3e5237a7dc6ef31b831202c345937f6a05ca8cd2f395c5f8d54e4af1bf0a72e5431d67caaa515239099a30fc47cf01c911820f673b18bd8751f80c31
-
SSDEEP
6144:8A2P27yTAnKGw0hjFhSR/W1nyAJ9v0pMtRCpYQ:8ATuTAnKGwUAWVycQqgj
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\713387D1 = "C:\\Users\\Admin\\AppData\\Roaming\\713387D1\\bin.exe" winver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
30a3faef098a1745f1b16e3677ba12a8aabb4802bafcb4131c05575194f7cece.exewinver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 30a3faef098a1745f1b16e3677ba12a8aabb4802bafcb4131c05575194f7cece.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Suspicious behavior: EnumeratesProcesses 61 IoCs
Processes:
winver.exepid process 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe 1972 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 1972 winver.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
30a3faef098a1745f1b16e3677ba12a8aabb4802bafcb4131c05575194f7cece.exewinver.exedescription pid process target process PID 3068 wrote to memory of 1972 3068 30a3faef098a1745f1b16e3677ba12a8aabb4802bafcb4131c05575194f7cece.exe winver.exe PID 3068 wrote to memory of 1972 3068 30a3faef098a1745f1b16e3677ba12a8aabb4802bafcb4131c05575194f7cece.exe winver.exe PID 3068 wrote to memory of 1972 3068 30a3faef098a1745f1b16e3677ba12a8aabb4802bafcb4131c05575194f7cece.exe winver.exe PID 3068 wrote to memory of 1972 3068 30a3faef098a1745f1b16e3677ba12a8aabb4802bafcb4131c05575194f7cece.exe winver.exe PID 3068 wrote to memory of 1972 3068 30a3faef098a1745f1b16e3677ba12a8aabb4802bafcb4131c05575194f7cece.exe winver.exe PID 1972 wrote to memory of 1324 1972 winver.exe Explorer.EXE PID 1972 wrote to memory of 1148 1972 winver.exe taskhost.exe PID 1972 wrote to memory of 1268 1972 winver.exe Dwm.exe PID 1972 wrote to memory of 1324 1972 winver.exe Explorer.EXE PID 1972 wrote to memory of 376 1972 winver.exe DllHost.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1148
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1268
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\30a3faef098a1745f1b16e3677ba12a8aabb4802bafcb4131c05575194f7cece.exe"C:\Users\Admin\AppData\Local\Temp\30a3faef098a1745f1b16e3677ba12a8aabb4802bafcb4131c05575194f7cece.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1972
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:376