Analysis
-
max time kernel
120s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
30-08-2024 15:18
Behavioral task
behavioral1
Sample
b68f66b5f2a41de572a784d603eaa230N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b68f66b5f2a41de572a784d603eaa230N.exe
Resource
win10v2004-20240802-en
General
-
Target
b68f66b5f2a41de572a784d603eaa230N.exe
-
Size
3.8MB
-
MD5
b68f66b5f2a41de572a784d603eaa230
-
SHA1
7ba4f34b08e472351d0f73f01cfca3d54de48689
-
SHA256
1eb852ea8cdd3be460ae959a012a1e2122435d7e9b6196c5eacd2bf7f92b0f83
-
SHA512
d6195c4ef4ffa11b5f5f5c539fd1df95b79bef6702035f82355d165459351dd6bb25b57cbe8075cca71b7f5db37c1362371420e7e94b229ac72ed2cf72b46409
-
SSDEEP
98304:d77Pmq33rE/JDLPWZADUGer7B6iY74M/rmlwXVZ4FB:5+R/eZADUXR
Malware Config
Extracted
bitrat
1.38
IP:Port
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
install_dir
Install path
-
install_file
Install name
-
tor_process
tor
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Install name = "C:\\Users\\Admin\\AppData\\Local\\Install path\\Install name" b68f66b5f2a41de572a784d603eaa230N.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b68f66b5f2a41de572a784d603eaa230N.exe -
Suspicious behavior: RenamesItself 23 IoCs
pid Process 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1948 b68f66b5f2a41de572a784d603eaa230N.exe Token: SeShutdownPrivilege 1948 b68f66b5f2a41de572a784d603eaa230N.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1948 b68f66b5f2a41de572a784d603eaa230N.exe 1948 b68f66b5f2a41de572a784d603eaa230N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b68f66b5f2a41de572a784d603eaa230N.exe"C:\Users\Admin\AppData\Local\Temp\b68f66b5f2a41de572a784d603eaa230N.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1948