Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/09/2024, 13:21
Behavioral task
behavioral1
Sample
ORY987650090.exe
Resource
win7-20240903-en
General
-
Target
ORY987650090.exe
-
Size
786KB
-
MD5
0775df6f175b9e95b8a56fdfd22df1c2
-
SHA1
c417f98d67f4ee9753e03ecf90c987fa9f0a10e2
-
SHA256
29205d95468e39eb69b47f1bbec3c93411003098765e5b2af4adeab341dc24a0
-
SHA512
33fe1ea924edad38b46792d58f086109b78da48f79bfa1de186ab6dc810f6713aefd86d8132b3a2d2394064f5712b9c23140d6213f6d722e52d8d7eaea8b98f9
-
SSDEEP
12288:ksHzOUNUSB/o5LsI1uwajJ5yvv1l2121VEJbB5dbyPiMWpfzi+Ttvw:HiUmSB/o5d1ubcvs2bMbgVWtrZw
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Maianthemum.vbs Maianthemum.exe -
Executes dropped EXE 1 IoCs
pid Process 2488 Maianthemum.exe -
resource yara_rule behavioral2/memory/4444-0-0x0000000000F30000-0x00000000010E5000-memory.dmp upx behavioral2/files/0x0003000000022cc6-14.dat upx behavioral2/memory/4444-16-0x0000000000F30000-0x00000000010E5000-memory.dmp upx behavioral2/memory/2488-17-0x0000000000810000-0x00000000009C5000-memory.dmp upx behavioral2/memory/2488-33-0x0000000000810000-0x00000000009C5000-memory.dmp upx -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4444-16-0x0000000000F30000-0x00000000010E5000-memory.dmp autoit_exe behavioral2/memory/2488-33-0x0000000000810000-0x00000000009C5000-memory.dmp autoit_exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2016 2488 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ORY987650090.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maianthemum.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4444 ORY987650090.exe 4444 ORY987650090.exe 2488 Maianthemum.exe 2488 Maianthemum.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 4444 ORY987650090.exe 4444 ORY987650090.exe 2488 Maianthemum.exe 2488 Maianthemum.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4444 wrote to memory of 2488 4444 ORY987650090.exe 87 PID 4444 wrote to memory of 2488 4444 ORY987650090.exe 87 PID 4444 wrote to memory of 2488 4444 ORY987650090.exe 87 PID 2488 wrote to memory of 3528 2488 Maianthemum.exe 88 PID 2488 wrote to memory of 3528 2488 Maianthemum.exe 88 PID 2488 wrote to memory of 3528 2488 Maianthemum.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORY987650090.exe"C:\Users\Admin\AppData\Local\Temp\ORY987650090.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Bohmerwald\Maianthemum.exe"C:\Users\Admin\AppData\Local\Temp\ORY987650090.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\ORY987650090.exe"3⤵PID:3528
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 7003⤵
- Program crash
PID:2016
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2488 -ip 24881⤵PID:2436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
786KB
MD50775df6f175b9e95b8a56fdfd22df1c2
SHA1c417f98d67f4ee9753e03ecf90c987fa9f0a10e2
SHA25629205d95468e39eb69b47f1bbec3c93411003098765e5b2af4adeab341dc24a0
SHA51233fe1ea924edad38b46792d58f086109b78da48f79bfa1de186ab6dc810f6713aefd86d8132b3a2d2394064f5712b9c23140d6213f6d722e52d8d7eaea8b98f9
-
Filesize
145KB
MD561fbdd4805392471dd95b5e54bf817f0
SHA125852d5c653fefde91fd20aefc296497401a44e0
SHA256a591bff9f9d4eb15c687511a06d53e6e1180198ecb70177f370adec19451ee15
SHA51245c507d2020fa7586542dd37cf1a1d4ba5ea59b51289822eb36ea436c268e46677ac364930a033015c7ec904032f7bf893ac9f71941569e357bba77de69dbf85