Analysis
-
max time kernel
119s -
max time network
62s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 09:50
Behavioral task
behavioral1
Sample
afa97b6dbd655a5717f6d6a7122d6a40N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
afa97b6dbd655a5717f6d6a7122d6a40N.exe
Resource
win10v2004-20240802-en
General
-
Target
afa97b6dbd655a5717f6d6a7122d6a40N.exe
-
Size
161KB
-
MD5
afa97b6dbd655a5717f6d6a7122d6a40
-
SHA1
591c325a627ec08b485d843eb85d5335aec67d0f
-
SHA256
e60984f9b1bcc7b2159e84525a9fe8121eb0302bc3b3b2e20b7de076e2a6f9bf
-
SHA512
b39e71cb8f3cf7bffd51a522753344831bdf05729f0228015eb55e053ec53c5ac4ef6c5121689a34bcb3d58366bbce6549cd9a28a0849cb89019b5eefbb6e7b5
-
SSDEEP
3072:i5SVkkgUWib1UC7AdYzrV+Dljy/32ubwZZqJ:pUquCkdYzrVolu/J0ZZ
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 3460 WindowsService.exe 520 WindowsService.exe 3180 WindowsService.exe -
Loads dropped DLL 5 IoCs
pid Process 3220 afa97b6dbd655a5717f6d6a7122d6a40N.exe 3220 afa97b6dbd655a5717f6d6a7122d6a40N.exe 3220 afa97b6dbd655a5717f6d6a7122d6a40N.exe 3220 afa97b6dbd655a5717f6d6a7122d6a40N.exe 3220 afa97b6dbd655a5717f6d6a7122d6a40N.exe -
resource yara_rule behavioral1/memory/1052-0-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1052-3-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1052-316-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1052-235-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1052-447-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/3220-446-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/files/0x000a000000018ed5-486.dat upx behavioral1/memory/3460-492-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/3220-495-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3460-500-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/520-1033-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3220-1048-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3460-1045-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/520-1053-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1052 set thread context of 3220 1052 afa97b6dbd655a5717f6d6a7122d6a40N.exe 29 PID 3460 set thread context of 520 3460 WindowsService.exe 34 PID 3460 set thread context of 3180 3460 WindowsService.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afa97b6dbd655a5717f6d6a7122d6a40N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afa97b6dbd655a5717f6d6a7122d6a40N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsService.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe Token: SeDebugPrivilege 520 WindowsService.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1052 afa97b6dbd655a5717f6d6a7122d6a40N.exe 3220 afa97b6dbd655a5717f6d6a7122d6a40N.exe 3460 WindowsService.exe 520 WindowsService.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 1052 wrote to memory of 3220 1052 afa97b6dbd655a5717f6d6a7122d6a40N.exe 29 PID 1052 wrote to memory of 3220 1052 afa97b6dbd655a5717f6d6a7122d6a40N.exe 29 PID 1052 wrote to memory of 3220 1052 afa97b6dbd655a5717f6d6a7122d6a40N.exe 29 PID 1052 wrote to memory of 3220 1052 afa97b6dbd655a5717f6d6a7122d6a40N.exe 29 PID 1052 wrote to memory of 3220 1052 afa97b6dbd655a5717f6d6a7122d6a40N.exe 29 PID 1052 wrote to memory of 3220 1052 afa97b6dbd655a5717f6d6a7122d6a40N.exe 29 PID 1052 wrote to memory of 3220 1052 afa97b6dbd655a5717f6d6a7122d6a40N.exe 29 PID 1052 wrote to memory of 3220 1052 afa97b6dbd655a5717f6d6a7122d6a40N.exe 29 PID 3220 wrote to memory of 3380 3220 afa97b6dbd655a5717f6d6a7122d6a40N.exe 30 PID 3220 wrote to memory of 3380 3220 afa97b6dbd655a5717f6d6a7122d6a40N.exe 30 PID 3220 wrote to memory of 3380 3220 afa97b6dbd655a5717f6d6a7122d6a40N.exe 30 PID 3220 wrote to memory of 3380 3220 afa97b6dbd655a5717f6d6a7122d6a40N.exe 30 PID 3380 wrote to memory of 3432 3380 cmd.exe 32 PID 3380 wrote to memory of 3432 3380 cmd.exe 32 PID 3380 wrote to memory of 3432 3380 cmd.exe 32 PID 3380 wrote to memory of 3432 3380 cmd.exe 32 PID 3220 wrote to memory of 3460 3220 afa97b6dbd655a5717f6d6a7122d6a40N.exe 33 PID 3220 wrote to memory of 3460 3220 afa97b6dbd655a5717f6d6a7122d6a40N.exe 33 PID 3220 wrote to memory of 3460 3220 afa97b6dbd655a5717f6d6a7122d6a40N.exe 33 PID 3220 wrote to memory of 3460 3220 afa97b6dbd655a5717f6d6a7122d6a40N.exe 33 PID 3460 wrote to memory of 520 3460 WindowsService.exe 34 PID 3460 wrote to memory of 520 3460 WindowsService.exe 34 PID 3460 wrote to memory of 520 3460 WindowsService.exe 34 PID 3460 wrote to memory of 520 3460 WindowsService.exe 34 PID 3460 wrote to memory of 520 3460 WindowsService.exe 34 PID 3460 wrote to memory of 520 3460 WindowsService.exe 34 PID 3460 wrote to memory of 520 3460 WindowsService.exe 34 PID 3460 wrote to memory of 520 3460 WindowsService.exe 34 PID 3460 wrote to memory of 3180 3460 WindowsService.exe 35 PID 3460 wrote to memory of 3180 3460 WindowsService.exe 35 PID 3460 wrote to memory of 3180 3460 WindowsService.exe 35 PID 3460 wrote to memory of 3180 3460 WindowsService.exe 35 PID 3460 wrote to memory of 3180 3460 WindowsService.exe 35 PID 3460 wrote to memory of 3180 3460 WindowsService.exe 35 PID 3460 wrote to memory of 3180 3460 WindowsService.exe 35 PID 3460 wrote to memory of 3180 3460 WindowsService.exe 35 PID 3460 wrote to memory of 3180 3460 WindowsService.exe 35 PID 3460 wrote to memory of 3180 3460 WindowsService.exe 35 PID 3460 wrote to memory of 3180 3460 WindowsService.exe 35 PID 3460 wrote to memory of 3180 3460 WindowsService.exe 35 PID 3460 wrote to memory of 3180 3460 WindowsService.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\afa97b6dbd655a5717f6d6a7122d6a40N.exe"C:\Users\Admin\AppData\Local\Temp\afa97b6dbd655a5717f6d6a7122d6a40N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\afa97b6dbd655a5717f6d6a7122d6a40N.exe"C:\Users\Admin\AppData\Local\Temp\afa97b6dbd655a5717f6d6a7122d6a40N.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RNMHQ.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3432
-
-
-
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:520
-
-
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3180
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157B
MD5f6a90c20834f271a907a4e2bc28184c2
SHA136c9d1602b74f622346fbb22693597d7889df48d
SHA25673f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd
SHA51239cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804
-
Filesize
161KB
MD5d6d4455789a94278bc7b3932cd6cc4ae
SHA17c63a71e82eab317b53b4432f3f15f067a0b85d9
SHA25684b800edda19d3c7b15088dce240e29673d51c265fce031a575e1cd84836c275
SHA51288aab001c3b2adf66efda0103ef753347beda04f0dd610df281e78b2740ce9416cf08668628536f7ca83ebae58a208191fa3d04a71299d0076637facc5b42bb0