Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
07/09/2024, 15:32
General
-
Target
40130a291cefeb3e7c3b829a4e64e500N.exe
-
Size
517KB
-
MD5
40130a291cefeb3e7c3b829a4e64e500
-
SHA1
76e1d91b224d4f3bdbc3556370bf4743d6c2c839
-
SHA256
cf62d33cb26ac0a55e3cd529ea05d51580a22c4d5b421f7c0ed73a1af8b5e4b9
-
SHA512
93aee1cfcc3c2ddb631aa7a9cea607fb535c9328a2b588db04d179413a6948f060545316f427c3e162734bb4b70538672c733ca103627e4ec0c9e5b07dd3b757
-
SSDEEP
6144:QdspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70NqT:28kxNhOZElO5kkWjhD4AOj5lG
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies system executable filetype association 2 TTPs 3 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 15 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\40130a291cefeb3e7c3b829a4e64e500N.exe"C:\Users\Admin\AppData\Local\Temp\40130a291cefeb3e7c3b829a4e64e500N.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\PerfLogs\TWZA.EXEC:\PerfLogs\TWZA.EXE2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD5b189e7f62b642c41b2785b11c2d3f3d2
SHA139623661649dfb677bf5e9c53a3805ba07539488
SHA256aa583127e33a70afa194cc20c449a6927158bf18bc6846227de5673d85d81f7b
SHA512cd9696d262fa346f704e5321e470d87d35b5600a017d297ee01fc8849bdea2565361696cce046c23fd68a3980fe02528638968cc5838ecb7dd5d39f6d8de0502
-
Filesize
517KB
MD579df475325c786082c5c3b8c56a4972e
SHA1d1ba20ba537ee81355052588ad4f703f33000b7d
SHA256231babc1f79d1f93f9d8505466d54aa5c31b27b6f93aa0517e5c2ddd09f943cf
SHA5127c2cae385489cb952141f5679d3bca305d6e6d1d59f2acdd53e4f2640fca07cff759338fe4e7d418e6a79ea459408654d238687f9055124de7b45e11f02731a4
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
4KB
-
Filesize
480KB
-
Filesize
4KB
-
Filesize
480KB
-
Filesize
4KB