Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 00:54
Static task
static1
Behavioral task
behavioral1
Sample
807fab6486eea4b2097d82f21a0eb30d9b1fcf0a9781687f6fef8690855919ef.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
807fab6486eea4b2097d82f21a0eb30d9b1fcf0a9781687f6fef8690855919ef.exe
Resource
win10v2004-20240802-en
General
-
Target
807fab6486eea4b2097d82f21a0eb30d9b1fcf0a9781687f6fef8690855919ef.exe
-
Size
225KB
-
MD5
5b95c5041fcd7944ec712a00a804dba3
-
SHA1
70117281e164844af32ec2d57ecf6b3776691bee
-
SHA256
807fab6486eea4b2097d82f21a0eb30d9b1fcf0a9781687f6fef8690855919ef
-
SHA512
faa1963968a60db4a2f2f815fa9b9273e0e33d42c215ef47c71b264202a2f59b264e2d99e2ef765708137dab1581d453e870552e74949e4a7c1ac5f7dfdf06d4
-
SSDEEP
6144:RA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:RATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\7754BB44 = "C:\\Users\\Admin\\AppData\\Roaming\\7754BB44\\bin.exe" winver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
807fab6486eea4b2097d82f21a0eb30d9b1fcf0a9781687f6fef8690855919ef.exewinver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 807fab6486eea4b2097d82f21a0eb30d9b1fcf0a9781687f6fef8690855919ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Suspicious behavior: EnumeratesProcesses 61 IoCs
Processes:
winver.exepid process 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2788 winver.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
807fab6486eea4b2097d82f21a0eb30d9b1fcf0a9781687f6fef8690855919ef.exewinver.exedescription pid process target process PID 2392 wrote to memory of 2788 2392 807fab6486eea4b2097d82f21a0eb30d9b1fcf0a9781687f6fef8690855919ef.exe winver.exe PID 2392 wrote to memory of 2788 2392 807fab6486eea4b2097d82f21a0eb30d9b1fcf0a9781687f6fef8690855919ef.exe winver.exe PID 2392 wrote to memory of 2788 2392 807fab6486eea4b2097d82f21a0eb30d9b1fcf0a9781687f6fef8690855919ef.exe winver.exe PID 2392 wrote to memory of 2788 2392 807fab6486eea4b2097d82f21a0eb30d9b1fcf0a9781687f6fef8690855919ef.exe winver.exe PID 2392 wrote to memory of 2788 2392 807fab6486eea4b2097d82f21a0eb30d9b1fcf0a9781687f6fef8690855919ef.exe winver.exe PID 2788 wrote to memory of 1276 2788 winver.exe Explorer.EXE PID 2788 wrote to memory of 1120 2788 winver.exe taskhost.exe PID 2788 wrote to memory of 1228 2788 winver.exe Dwm.exe PID 2788 wrote to memory of 1276 2788 winver.exe Explorer.EXE PID 2788 wrote to memory of 628 2788 winver.exe DllHost.exe PID 2788 wrote to memory of 2392 2788 winver.exe 807fab6486eea4b2097d82f21a0eb30d9b1fcf0a9781687f6fef8690855919ef.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1228
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1276
-
C:\Users\Admin\AppData\Local\Temp\807fab6486eea4b2097d82f21a0eb30d9b1fcf0a9781687f6fef8690855919ef.exe"C:\Users\Admin\AppData\Local\Temp\807fab6486eea4b2097d82f21a0eb30d9b1fcf0a9781687f6fef8690855919ef.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2788
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:628