Analysis
-
max time kernel
112s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-08-2024 01:10
Static task
static1
Behavioral task
behavioral1
Sample
ab5aba6c4abe02ce1469654bd04ae560N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
ab5aba6c4abe02ce1469654bd04ae560N.exe
Resource
win10v2004-20240802-en
General
-
Target
ab5aba6c4abe02ce1469654bd04ae560N.exe
-
Size
1.8MB
-
MD5
ab5aba6c4abe02ce1469654bd04ae560
-
SHA1
16dde5baefb9353e0bd631450a4d731249d95cf7
-
SHA256
81a5b5ccc8ef0e8f8c0d919045fbb82484d0a550d1fa2bc2a419beb98a16eedc
-
SHA512
8174f4ea8fe82af1d2a95c8d905f625904d616cf4e9ce227ac6758a471b362ece4a068f90ccc052fc6e48e2142399ee4bc62ba30d7234a7fe5f4cde06f35382d
-
SSDEEP
49152:FqeNVyO5iBNxiiZQCu9f0BTHgXhfSUbQr:UEIOwj/gJ0ZgXxxbu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3836 ab5aba6c4abe02ce1469654bd04ae560N.tmp -
Loads dropped DLL 1 IoCs
pid Process 3836 ab5aba6c4abe02ce1469654bd04ae560N.tmp -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab5aba6c4abe02ce1469654bd04ae560N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab5aba6c4abe02ce1469654bd04ae560N.tmp -
Kills process with taskkill 1 IoCs
pid Process 1444 taskkill.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 35 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4792 wrote to memory of 3836 4792 ab5aba6c4abe02ce1469654bd04ae560N.exe 84 PID 4792 wrote to memory of 3836 4792 ab5aba6c4abe02ce1469654bd04ae560N.exe 84 PID 4792 wrote to memory of 3836 4792 ab5aba6c4abe02ce1469654bd04ae560N.exe 84 PID 3836 wrote to memory of 1444 3836 ab5aba6c4abe02ce1469654bd04ae560N.tmp 92 PID 3836 wrote to memory of 1444 3836 ab5aba6c4abe02ce1469654bd04ae560N.tmp 92 PID 3836 wrote to memory of 1444 3836 ab5aba6c4abe02ce1469654bd04ae560N.tmp 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab5aba6c4abe02ce1469654bd04ae560N.exe"C:\Users\Admin\AppData\Local\Temp\ab5aba6c4abe02ce1469654bd04ae560N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\is-ICARJ.tmp\ab5aba6c4abe02ce1469654bd04ae560N.tmp"C:\Users\Admin\AppData\Local\Temp\is-ICARJ.tmp\ab5aba6c4abe02ce1469654bd04ae560N.tmp" /SL5="$601C6,1181751,780288,C:\Users\Admin\AppData\Local\Temp\ab5aba6c4abe02ce1469654bd04ae560N.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\taskkill.exe"taskkill" https://setstat.ru/api/savePostback?chid=%s&guid=%s&type=vkdjV_K_D_J.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1444
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD555c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57
-
Filesize
2.5MB
MD542dff2b4641638ce7e32c4d79b66345c
SHA1dcb87c617a58d6e5914b52574d436c3c095b2331
SHA2564b543620d0e37104396a5395cb91994ed924d45b5335004dd581b954dc32adf4
SHA512bde0d1c81c341cc3795d8166e79247e08837b9c84741e4351d14363b02cf057642cde49024f7f7c7271bae4e0a1011eb7378e82a30f5747541206fa0d3b3f6e9