Analysis
-
max time kernel
102s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 09:35
Static task
static1
Behavioral task
behavioral1
Sample
fa0b9a4b83b167d048bd3776fe381a00N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
fa0b9a4b83b167d048bd3776fe381a00N.exe
Resource
win10v2004-20240802-en
General
-
Target
fa0b9a4b83b167d048bd3776fe381a00N.exe
-
Size
67KB
-
MD5
fa0b9a4b83b167d048bd3776fe381a00
-
SHA1
84b7fab62b61b073280b725529c05372fb04ada5
-
SHA256
da942c072718aeb087055dc7d0eeab5aa41d5bcdf749d32a4474903fbbd280a8
-
SHA512
73ea28e2db9dd878f3e927dc2f126c75a89ba6ad372f19e779d07235d3abb05a5374c92968550f1bbd25caa2d61cdde84c7249e7902b24bd8327977f98edd335
-
SSDEEP
1536:mvlmziUNJM4sbA5E3C8JNScjNOxfxMXl37U+mAKeRQiR/Rj:mUziUNJMtCE3jAcIx5Mhg+mGeiVx
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad fa0b9a4b83b167d048bd3776fe381a00N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" fa0b9a4b83b167d048bd3776fe381a00N.exe -
Executes dropped EXE 1 IoCs
pid Process 3664 Dmllipeg.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dmllipeg.exe fa0b9a4b83b167d048bd3776fe381a00N.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe fa0b9a4b83b167d048bd3776fe381a00N.exe File created C:\Windows\SysWOW64\Kngpec32.dll fa0b9a4b83b167d048bd3776fe381a00N.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3028 3664 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa0b9a4b83b167d048bd3776fe381a00N.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node fa0b9a4b83b167d048bd3776fe381a00N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID fa0b9a4b83b167d048bd3776fe381a00N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} fa0b9a4b83b167d048bd3776fe381a00N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" fa0b9a4b83b167d048bd3776fe381a00N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" fa0b9a4b83b167d048bd3776fe381a00N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 fa0b9a4b83b167d048bd3776fe381a00N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2876 wrote to memory of 3664 2876 fa0b9a4b83b167d048bd3776fe381a00N.exe 84 PID 2876 wrote to memory of 3664 2876 fa0b9a4b83b167d048bd3776fe381a00N.exe 84 PID 2876 wrote to memory of 3664 2876 fa0b9a4b83b167d048bd3776fe381a00N.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa0b9a4b83b167d048bd3776fe381a00N.exe"C:\Users\Admin\AppData\Local\Temp\fa0b9a4b83b167d048bd3776fe381a00N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 4083⤵
- Program crash
PID:3028
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3664 -ip 36641⤵PID:3116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD56705f167813fc7741c75910329189e80
SHA1bc3ab6255119eb8d67d97c1998a4ee5bd890eede
SHA256d3cf04f5ff56402576c379d087a27ade9bab37be62dff85a89ba39dd63869627
SHA512d39317101bdbb0e101efc107e90906a3d907c56831f43b0c1561734cf9a731ec482e802b4e0269262831801adde0d0493aca0a5ddfdcb15ca64cf7401bc669e4