Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01-09-2024 12:27
Static task
static1
Behavioral task
behavioral1
Sample
c7501c5118971f1ee4e86372b8963310N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c7501c5118971f1ee4e86372b8963310N.exe
Resource
win10v2004-20240802-en
General
-
Target
c7501c5118971f1ee4e86372b8963310N.exe
-
Size
60KB
-
MD5
c7501c5118971f1ee4e86372b8963310
-
SHA1
c7a5bf459c452e0d22ca14b7b3e5696f40fb4b48
-
SHA256
a49043714c414f0680f9ee25dd807f73549ae2385a60604d9bc8b59fe19e4ce6
-
SHA512
4b26a3ce4bc4b4e931c2f46a7100aaea3cb3514d043add6fb771c4ef625f65f2b5e03e1b6f3b121f308e0a29ea26197aed2be83414c0a1c07c14e771f87653c9
-
SSDEEP
768:XE30N/7tEaWcArSwaydTb0EroSd3QXGsBS4sZFFSUv6GfEK+RsWW2qTN4lvCy2ZL:gNPeXonnUStQXDI4spvVp+N8NECtH3T
Malware Config
Signatures
-
Expiro payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2552-13-0x0000000000400000-0x000000000040B000-memory.dmp family_expiro2 behavioral1/memory/2552-25-0x0000000000400000-0x000000000040B000-memory.dmp family_expiro2 behavioral1/memory/2312-43-0x0000000000400000-0x000000000040B000-memory.dmp family_expiro2 behavioral1/memory/2312-44-0x0000000000400000-0x000000000040B000-memory.dmp family_expiro2 behavioral1/memory/2312-47-0x0000000000400000-0x000000000040B000-memory.dmp family_expiro2 behavioral1/memory/2312-54-0x0000000000400000-0x000000000040B000-memory.dmp family_expiro2 -
Executes dropped EXE 2 IoCs
Processes:
service124.exeservice124.exepid process 3056 service124.exe 2312 service124.exe -
Loads dropped DLL 2 IoCs
Processes:
c7501c5118971f1ee4e86372b8963310N.exepid process 2552 c7501c5118971f1ee4e86372b8963310N.exe 2552 c7501c5118971f1ee4e86372b8963310N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
service124.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "C:\\Windows\\SysWOW64\\service124.exe" service124.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "C:\\Windows\\SysWOW64\\service124.exe" service124.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
service124.exedescription ioc process File opened (read-only) \??\D: service124.exe File opened (read-only) \??\F: service124.exe -
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
service124.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Adobe Reader Speed Launcher = "C:\\Windows\\SysWOW64\\service124.exe" service124.exe -
Drops file in System32 directory 2 IoCs
Processes:
c7501c5118971f1ee4e86372b8963310N.exedescription ioc process File created C:\Windows\SysWOW64\service124.exe c7501c5118971f1ee4e86372b8963310N.exe File opened for modification C:\Windows\SysWOW64\service124.exe c7501c5118971f1ee4e86372b8963310N.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
c7501c5118971f1ee4e86372b8963310N.exeservice124.exedescription pid process target process PID 2900 set thread context of 2552 2900 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 3056 set thread context of 2312 3056 service124.exe service124.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
service124.exec7501c5118971f1ee4e86372b8963310N.exec7501c5118971f1ee4e86372b8963310N.exeservice124.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service124.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7501c5118971f1ee4e86372b8963310N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7501c5118971f1ee4e86372b8963310N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service124.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
c7501c5118971f1ee4e86372b8963310N.exec7501c5118971f1ee4e86372b8963310N.exeservice124.exedescription pid process target process PID 2900 wrote to memory of 2552 2900 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 2900 wrote to memory of 2552 2900 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 2900 wrote to memory of 2552 2900 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 2900 wrote to memory of 2552 2900 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 2900 wrote to memory of 2552 2900 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 2900 wrote to memory of 2552 2900 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 2900 wrote to memory of 2552 2900 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 2900 wrote to memory of 2552 2900 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 2552 wrote to memory of 3056 2552 c7501c5118971f1ee4e86372b8963310N.exe service124.exe PID 2552 wrote to memory of 3056 2552 c7501c5118971f1ee4e86372b8963310N.exe service124.exe PID 2552 wrote to memory of 3056 2552 c7501c5118971f1ee4e86372b8963310N.exe service124.exe PID 2552 wrote to memory of 3056 2552 c7501c5118971f1ee4e86372b8963310N.exe service124.exe PID 3056 wrote to memory of 2312 3056 service124.exe service124.exe PID 3056 wrote to memory of 2312 3056 service124.exe service124.exe PID 3056 wrote to memory of 2312 3056 service124.exe service124.exe PID 3056 wrote to memory of 2312 3056 service124.exe service124.exe PID 3056 wrote to memory of 2312 3056 service124.exe service124.exe PID 3056 wrote to memory of 2312 3056 service124.exe service124.exe PID 3056 wrote to memory of 2312 3056 service124.exe service124.exe PID 3056 wrote to memory of 2312 3056 service124.exe service124.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7501c5118971f1ee4e86372b8963310N.exe"C:\Users\Admin\AppData\Local\Temp\c7501c5118971f1ee4e86372b8963310N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\c7501c5118971f1ee4e86372b8963310N.exe"C:\Users\Admin\AppData\Local\Temp\c7501c5118971f1ee4e86372b8963310N.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\service124.exe-n3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\service124.exe-n4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- System Location Discovery: System Language Discovery
PID:2312
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5c7501c5118971f1ee4e86372b8963310
SHA1c7a5bf459c452e0d22ca14b7b3e5696f40fb4b48
SHA256a49043714c414f0680f9ee25dd807f73549ae2385a60604d9bc8b59fe19e4ce6
SHA5124b26a3ce4bc4b4e931c2f46a7100aaea3cb3514d043add6fb771c4ef625f65f2b5e03e1b6f3b121f308e0a29ea26197aed2be83414c0a1c07c14e771f87653c9