Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 09:34
Static task
static1
Behavioral task
behavioral1
Sample
6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe
Resource
win10v2004-20240802-en
General
-
Target
6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe
-
Size
8.2MB
-
MD5
7212283e1556c634629917b01de6f817
-
SHA1
321fd880d3ab4fadb36e9b512aed760de0f2e6bd
-
SHA256
6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9
-
SHA512
c6c688ebdec6eeee59c8b84066a3a3a18934b17d56cba5e2e8d2e7a38d099382ec9887af8024115a090405c7d3a7d9248759b75e481656d1e9a94d68f0e98da8
-
SSDEEP
98304:6nHKrVhknxx8ujLWFghGdkXC/2rF2Uf3LRBYZAIGVzArOSqeDalc6d:frmLQG2WRS8c9BDal
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe.lnk 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe -
Loads dropped DLL 1 IoCs
pid Process 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2824 NETSTAT.EXE 2828 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2824 NETSTAT.EXE Token: SeDebugPrivilege 2828 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2248 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 30 PID 2780 wrote to memory of 2248 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 30 PID 2780 wrote to memory of 2248 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 30 PID 2780 wrote to memory of 2248 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 30 PID 2248 wrote to memory of 2824 2248 cmd.exe 32 PID 2248 wrote to memory of 2824 2248 cmd.exe 32 PID 2248 wrote to memory of 2824 2248 cmd.exe 32 PID 2248 wrote to memory of 2824 2248 cmd.exe 32 PID 2780 wrote to memory of 2800 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 33 PID 2780 wrote to memory of 2800 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 33 PID 2780 wrote to memory of 2800 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 33 PID 2780 wrote to memory of 2800 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 33 PID 2800 wrote to memory of 2828 2800 cmd.exe 35 PID 2800 wrote to memory of 2828 2800 cmd.exe 35 PID 2800 wrote to memory of 2828 2800 cmd.exe 35 PID 2800 wrote to memory of 2828 2800 cmd.exe 35 PID 2780 wrote to memory of 2924 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 36 PID 2780 wrote to memory of 2924 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 36 PID 2780 wrote to memory of 2924 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 36 PID 2780 wrote to memory of 2924 2780 6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe 36 PID 2924 wrote to memory of 3048 2924 cmd.exe 38 PID 2924 wrote to memory of 3048 2924 cmd.exe 38 PID 2924 wrote to memory of 3048 2924 cmd.exe 38 PID 2924 wrote to memory of 3048 2924 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe"C:\Users\Admin\AppData\Local\Temp\6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe"1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\cmd.execmd.exe /c netstat -an2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netstat -an2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\Del.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\delay.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:3048
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163B
MD5da117a17f814b5d1a13c2e7f2e6a794e
SHA1b94bde235c53c3947a9dd094a30aef626bf4dace
SHA25617b890eaf7b4af3ad68a9f9e55081c8c576b10061c3709917e29d47ec421089b
SHA51287eb8958b1d3ce6241feafdd1e84d635b695597061dbb0a62249c1948952149c32091ce15dac66f0da930e764b145e08d9573e9d067a11a062de2fff46dacb7e
-
Filesize
18B
MD55ccc803b59fdbcdea8fd7510e8d0fc04
SHA1934485e70bf33c0860d346c92f85231be6dbc606
SHA25656dbbffa3c9452f514e5f85f589cd8ee557ddd79283c3456bb37296c482d4631
SHA512a0229aba0a6fda2f9edd6c363b5de5eae1da0f3e04b687ac893cc6f01cde7d969799333b576b0277363339906570ef33f30f5b3f6738cf16a5f49316fde9a642
-
Filesize
8.4MB
MD58b6c94bbdbfb213e94a5dcb4fac28ce3
SHA1b56102ca4f03556f387f8b30e2b404efabe0cb65
SHA256982a177924762f270b36fe34c7d6847392b48ae53151dc2011078dceef487a53
SHA5129d6d63b5d8cf7a978d7e91126d7a343c2f7acd00022da9d692f63e50835fdd84a59a93328564f10622f2b1f6adfd7febdd98b8ddb294d0754ed45cc9c165d25a