Analysis
-
max time kernel
114s -
max time network
113s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02-09-2024 11:33
Static task
static1
Behavioral task
behavioral1
Sample
c7501c5118971f1ee4e86372b8963310N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c7501c5118971f1ee4e86372b8963310N.exe
Resource
win10v2004-20240802-en
General
-
Target
c7501c5118971f1ee4e86372b8963310N.exe
-
Size
60KB
-
MD5
c7501c5118971f1ee4e86372b8963310
-
SHA1
c7a5bf459c452e0d22ca14b7b3e5696f40fb4b48
-
SHA256
a49043714c414f0680f9ee25dd807f73549ae2385a60604d9bc8b59fe19e4ce6
-
SHA512
4b26a3ce4bc4b4e931c2f46a7100aaea3cb3514d043add6fb771c4ef625f65f2b5e03e1b6f3b121f308e0a29ea26197aed2be83414c0a1c07c14e771f87653c9
-
SSDEEP
768:XE30N/7tEaWcArSwaydTb0EroSd3QXGsBS4sZFFSUv6GfEK+RsWW2qTN4lvCy2ZL:gNPeXonnUStQXDI4spvVp+N8NECtH3T
Malware Config
Signatures
-
Expiro payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2360-14-0x0000000000400000-0x000000000040B000-memory.dmp family_expiro2 behavioral1/memory/2360-26-0x0000000000400000-0x000000000040B000-memory.dmp family_expiro2 behavioral1/memory/2808-43-0x0000000000400000-0x000000000040B000-memory.dmp family_expiro2 behavioral1/memory/2808-44-0x0000000000400000-0x000000000040B000-memory.dmp family_expiro2 behavioral1/memory/2808-46-0x0000000000400000-0x000000000040B000-memory.dmp family_expiro2 behavioral1/memory/2808-52-0x0000000000400000-0x000000000040B000-memory.dmp family_expiro2 behavioral1/memory/2808-55-0x0000000000400000-0x000000000040B000-memory.dmp family_expiro2 -
Executes dropped EXE 2 IoCs
Processes:
service199.exeservice199.exepid process 2816 service199.exe 2808 service199.exe -
Loads dropped DLL 2 IoCs
Processes:
c7501c5118971f1ee4e86372b8963310N.exepid process 2360 c7501c5118971f1ee4e86372b8963310N.exe 2360 c7501c5118971f1ee4e86372b8963310N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
service199.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "C:\\Windows\\SysWOW64\\service199.exe" service199.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "C:\\Windows\\SysWOW64\\service199.exe" service199.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
service199.exedescription ioc process File opened (read-only) \??\D: service199.exe File opened (read-only) \??\F: service199.exe -
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
service199.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Adobe Reader Speed Launcher = "C:\\Windows\\SysWOW64\\service199.exe" service199.exe -
Drops file in System32 directory 2 IoCs
Processes:
c7501c5118971f1ee4e86372b8963310N.exedescription ioc process File opened for modification C:\Windows\SysWOW64\service199.exe c7501c5118971f1ee4e86372b8963310N.exe File created C:\Windows\SysWOW64\service199.exe c7501c5118971f1ee4e86372b8963310N.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
c7501c5118971f1ee4e86372b8963310N.exeservice199.exedescription pid process target process PID 3008 set thread context of 2360 3008 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 2816 set thread context of 2808 2816 service199.exe service199.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c7501c5118971f1ee4e86372b8963310N.exeservice199.exeservice199.exec7501c5118971f1ee4e86372b8963310N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7501c5118971f1ee4e86372b8963310N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service199.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service199.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7501c5118971f1ee4e86372b8963310N.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
c7501c5118971f1ee4e86372b8963310N.exec7501c5118971f1ee4e86372b8963310N.exeservice199.exedescription pid process target process PID 3008 wrote to memory of 2360 3008 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 3008 wrote to memory of 2360 3008 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 3008 wrote to memory of 2360 3008 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 3008 wrote to memory of 2360 3008 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 3008 wrote to memory of 2360 3008 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 3008 wrote to memory of 2360 3008 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 3008 wrote to memory of 2360 3008 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 3008 wrote to memory of 2360 3008 c7501c5118971f1ee4e86372b8963310N.exe c7501c5118971f1ee4e86372b8963310N.exe PID 2360 wrote to memory of 2816 2360 c7501c5118971f1ee4e86372b8963310N.exe service199.exe PID 2360 wrote to memory of 2816 2360 c7501c5118971f1ee4e86372b8963310N.exe service199.exe PID 2360 wrote to memory of 2816 2360 c7501c5118971f1ee4e86372b8963310N.exe service199.exe PID 2360 wrote to memory of 2816 2360 c7501c5118971f1ee4e86372b8963310N.exe service199.exe PID 2816 wrote to memory of 2808 2816 service199.exe service199.exe PID 2816 wrote to memory of 2808 2816 service199.exe service199.exe PID 2816 wrote to memory of 2808 2816 service199.exe service199.exe PID 2816 wrote to memory of 2808 2816 service199.exe service199.exe PID 2816 wrote to memory of 2808 2816 service199.exe service199.exe PID 2816 wrote to memory of 2808 2816 service199.exe service199.exe PID 2816 wrote to memory of 2808 2816 service199.exe service199.exe PID 2816 wrote to memory of 2808 2816 service199.exe service199.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7501c5118971f1ee4e86372b8963310N.exe"C:\Users\Admin\AppData\Local\Temp\c7501c5118971f1ee4e86372b8963310N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\c7501c5118971f1ee4e86372b8963310N.exe"C:\Users\Admin\AppData\Local\Temp\c7501c5118971f1ee4e86372b8963310N.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\service199.exe-n3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\service199.exe-n4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- System Location Discovery: System Language Discovery
PID:2808
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5c7501c5118971f1ee4e86372b8963310
SHA1c7a5bf459c452e0d22ca14b7b3e5696f40fb4b48
SHA256a49043714c414f0680f9ee25dd807f73549ae2385a60604d9bc8b59fe19e4ce6
SHA5124b26a3ce4bc4b4e931c2f46a7100aaea3cb3514d043add6fb771c4ef625f65f2b5e03e1b6f3b121f308e0a29ea26197aed2be83414c0a1c07c14e771f87653c9