Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 00:03
Static task
static1
Behavioral task
behavioral1
Sample
7a9cb63f5660ddb631210349fe5c3eb0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7a9cb63f5660ddb631210349fe5c3eb0N.exe
Resource
win10v2004-20240802-en
General
-
Target
7a9cb63f5660ddb631210349fe5c3eb0N.exe
-
Size
237KB
-
MD5
7a9cb63f5660ddb631210349fe5c3eb0
-
SHA1
8f8053eb1bb223f44d1418a06caecaa1d5351d19
-
SHA256
9911d115fa9bf1334d2980c2dc922f1f2414f69a88c234cd45c57ea5929fe292
-
SHA512
351f63e46d21af6b42e74f49997ede8811c65133323848f0cf02e9b845fdb663e085294e488db0b72280d54baf791c476fd8b0b7e610a69af4b1b9fa4bfcbd6a
-
SSDEEP
6144:0A2P27yTAnKGw0hjFhSR/W1nyAJ9v0pMtRCpYQ:0ATuTAnKGwUAWVycQqgj
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\715B7F0F = "C:\\Users\\Admin\\AppData\\Roaming\\715B7F0F\\bin.exe" winver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7a9cb63f5660ddb631210349fe5c3eb0N.exewinver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a9cb63f5660ddb631210349fe5c3eb0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
winver.exepid process 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe 560 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 560 winver.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
7a9cb63f5660ddb631210349fe5c3eb0N.exewinver.exedescription pid process target process PID 2956 wrote to memory of 560 2956 7a9cb63f5660ddb631210349fe5c3eb0N.exe winver.exe PID 2956 wrote to memory of 560 2956 7a9cb63f5660ddb631210349fe5c3eb0N.exe winver.exe PID 2956 wrote to memory of 560 2956 7a9cb63f5660ddb631210349fe5c3eb0N.exe winver.exe PID 2956 wrote to memory of 560 2956 7a9cb63f5660ddb631210349fe5c3eb0N.exe winver.exe PID 2956 wrote to memory of 560 2956 7a9cb63f5660ddb631210349fe5c3eb0N.exe winver.exe PID 560 wrote to memory of 1180 560 winver.exe Explorer.EXE PID 560 wrote to memory of 1100 560 winver.exe taskhost.exe PID 560 wrote to memory of 1156 560 winver.exe Dwm.exe PID 560 wrote to memory of 1180 560 winver.exe Explorer.EXE PID 560 wrote to memory of 1212 560 winver.exe DllHost.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1100
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1156
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\7a9cb63f5660ddb631210349fe5c3eb0N.exe"C:\Users\Admin\AppData\Local\Temp\7a9cb63f5660ddb631210349fe5c3eb0N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:560
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1212