Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 05:05
Static task
static1
Behavioral task
behavioral1
Sample
806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe
Resource
win10-20240404-en
General
-
Target
806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe
-
Size
13.2MB
-
MD5
56c671ca2f1c447d9626235f396c870a
-
SHA1
3bc86393d8b3f0e20e8b49466c48c0a54a03fd61
-
SHA256
806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a
-
SHA512
44e253da47ec0aa276cbe2abdf4186e9634eb81176a8a9263b48eda3f44346179a380c4b76c157c14740dcb3675dd91ffbf16a7f60accdaedaa58b74a2d313e6
-
SSDEEP
393216:e0qJtXxO7qhaKNDJCvTV7D3OwjdAjLnDUFXoQcnU:e/t2KNJC137dAjEFSU
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
build_4.exebuild_4.exepid process 1988 build_4.exe 2960 build_4.exe -
Loads dropped DLL 3 IoCs
Processes:
WScript.exebuild_4.exebuild_4.exepid process 1844 WScript.exe 1988 build_4.exe 2960 build_4.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_4.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exeWScript.exebuild_4.exebuild_4.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build_4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build_4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exeWScript.exebuild_4.exedescription pid process target process PID 2380 wrote to memory of 1844 2380 806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe WScript.exe PID 2380 wrote to memory of 1844 2380 806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe WScript.exe PID 2380 wrote to memory of 1844 2380 806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe WScript.exe PID 2380 wrote to memory of 1844 2380 806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe WScript.exe PID 1844 wrote to memory of 1988 1844 WScript.exe build_4.exe PID 1844 wrote to memory of 1988 1844 WScript.exe build_4.exe PID 1844 wrote to memory of 1988 1844 WScript.exe build_4.exe PID 1844 wrote to memory of 1988 1844 WScript.exe build_4.exe PID 1988 wrote to memory of 2960 1988 build_4.exe build_4.exe PID 1988 wrote to memory of 2960 1988 build_4.exe build_4.exe PID 1988 wrote to memory of 2960 1988 build_4.exe build_4.exe PID 1988 wrote to memory of 2960 1988 build_4.exe build_4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe"C:\Users\Admin\AppData\Local\Temp\806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_4.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_4.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_4.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_4.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.1MB
MD55a5d6ad84a7462708c1f4d51ad7ee9cb
SHA1de68d6b39aef7dcd49216308110d7b1be4cbf649
SHA25664863ef0c89a91f133ac968f1774e39c0c7fa5c69beb825b3db5e55c4ba60987
SHA5120cd56d1e7cc34bd56acebd94ee9370ec7aee90b7f86ea6234a6147480d84c4581a5fac85ce73b0cd00a7f7df5e830e4c4dca597ad037a32e84b769b369b50e22
-
Filesize
183B
MD55894fc443d20e14cf58c39182e36b005
SHA1b499cc3083b0f78dcba99f371e03b1fba280f9f0
SHA256b2771d1657dde2b930007d61ff633919560d9aa7a0a07d9671c962721ed6d88d
SHA512f4d8459a7d81f8c7bb4c6ccdef7404032117b9423fb63613d0ad8918453f8078c2ae308ad1167cd7f7b7a409a5807307712b38f3616f6d15c394efd44a65109c
-
Filesize
5.6MB
MD50eac9fa387647c388fab4239bfe5a0b5
SHA1fafb679a58b8d85b50af18a4c0a7402fa890ee39
SHA25665900b1bc22af5bb974385f7f2a8742ffd12860010cbe0aedb62ff5598998414
SHA51270042322b98681c73f83f05e03f61a8ad985944cf07633653706c9b87be738e6698099f40328058ee80d4063f8e85aba7c674c3af079cf082376fb1dc9005e86