Analysis
-
max time kernel
142s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 09:35
Static task
static1
Behavioral task
behavioral1
Sample
ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe
Resource
win10v2004-20240802-en
General
-
Target
ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe
-
Size
13.5MB
-
MD5
1422010c7d83a5f513daf3e0971b9478
-
SHA1
780293a47cc96fa3ff50cb97125fc1a78374c447
-
SHA256
ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497
-
SHA512
fe9c77553e47490b6e89cf78fbd6959fd3f390c5416762a9e2b0ad26ee26d62270c5e9653d980aea3ddc948de732fffe35200dcd0c7fc5244e3a637073230773
-
SSDEEP
196608:J89duCvh7pQoXhQET1AIxGJYJbaogx2gwKB0e2:kuy7p7XhN5aaHgYgbv
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2540 ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe 2540 ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe 2768 ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe 2768 ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\font_temp.ttf ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe File created C:\Windows\Fonts\font_temp.ttf ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2744 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2744 PING.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2540 ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe 2540 ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe 2768 ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe 2768 ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2540 wrote to memory of 2292 2540 ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe 30 PID 2540 wrote to memory of 2292 2540 ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe 30 PID 2540 wrote to memory of 2292 2540 ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe 30 PID 2540 wrote to memory of 2292 2540 ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe 30 PID 2292 wrote to memory of 2744 2292 cmd.exe 32 PID 2292 wrote to memory of 2744 2292 cmd.exe 32 PID 2292 wrote to memory of 2744 2292 cmd.exe 32 PID 2292 wrote to memory of 2744 2292 cmd.exe 32 PID 2292 wrote to memory of 2768 2292 cmd.exe 33 PID 2292 wrote to memory of 2768 2292 cmd.exe 33 PID 2292 wrote to memory of 2768 2292 cmd.exe 33 PID 2292 wrote to memory of 2768 2292 cmd.exe 33 PID 2292 wrote to memory of 2768 2292 cmd.exe 33 PID 2292 wrote to memory of 2768 2292 cmd.exe 33 PID 2292 wrote to memory of 2768 2292 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe"C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Restart.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2744
-
-
C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe"C:\Users\Admin\AppData\Local\Temp\CCF774~1.EXE"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113B
MD5031de4a2bc4df456bb84ccc9dc56069e
SHA1e76c465636c3222fb4b496262e1aaf7f07372852
SHA256e2c526a38bcb3974eff6e1f8e662541895b4228561e0930bfae374f76846d290
SHA5122bc90aabeeb172798ee7942a42b076e3645ae134b8030c7720c8c37ea6f1fdb03dafc57ab8cb56757fd88cb4106c3117bfc4a63f4169f7c30ec1921a26b704aa
-
Filesize
8.0MB
MD5092a99ee52bbaef7481cc96c5b85b992
SHA106b8475f99605af9ff9ff3ed1d0eb907fd57c06b
SHA256b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d
SHA5123538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf
-
Filesize
1.6MB
MD5a1df3b7884c175c967505a589ba51da2
SHA17aaf570e41a00149134973d00f4efc09c4b650c2
SHA256c16014329cf6f242a525f6782dd10f6a4d0ff6f97239710fdc45522f5c6da525
SHA51212b8bd05fd9bec79d643edb503634b8b5238c67c77ddd8d2c3220406c08b1e6197e8aff02c709e353bc4ce9353a6709837b81ca443660250d94e73c00d66f451
-
Filesize
333KB
MD556a2bcecbd3cddd6f4a35361bf4920d6
SHA1992e63be423f0e61093ba183f49fc0cbec790488
SHA2565fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab
SHA512473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551