Overview

overview

8

Static

static

1

a9c2f7d215...4e.exe

windows7-x64

8

a9c2f7d215...4e.exe

windows10-2004-x64

8

Resubmissions

11/09/2024, 19:15 UTC

240911-xyhb5axgpl 8

11/09/2024, 19:12 UTC

240911-xwla1ayblb 8

Analysis

  • max time kernel
    359s
  • max time network
    362s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/09/2024, 19:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe

  • Size

    1.0MB

  • MD5

    7c3e5f4c1e0e14f51b6f5a19ba6e1bae

  • SHA1

    73745c924a5f61fe1f9e489bbe6534c5c95c2452

  • SHA256

    a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e

  • SHA512

    e1416d9005285894b68aec509fd86ee5b8c320f80da3db8fdd8bce708fd0cd8fff2ce1c6fb9017c359b9169421be28a646f8179b78e79387da18c86d1eb56a5b

  • SSDEEP

    24576:yJeo26y1eqAyY6fNC1TvD3v8BsOQRsnbP5u:K92NC1TLz0bPs

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
    "C:\Users\Admin\AppData\Local\Temp\a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3036
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Powershell.exe Add-MpPreference -ExclusionPath C:
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2716
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 364
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:3012
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2164
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1640
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:980
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2016
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:776
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Powershell.exe Add-MpPreference -ExclusionPath C:
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1116
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 280
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:632

Network

  • flag-us
    DNS
    spark.lightburst.xyz
    Setup.exe
    Remote address:
    8.8.8.8:53
    Request
    spark.lightburst.xyz
    IN A
    Response
  • 127.0.0.1:49212
    Setup.exe
  • 127.0.0.1:49214
    Setup.exe
  • 127.0.0.1:49241
    Setup.exe
  • 127.0.0.1:49243
    Setup.exe
  • 8.8.8.8:53
    spark.lightburst.xyz
    dns
    Setup.exe
    66 B
     131 B
     1
    1

    DNS Request

    spark.lightburst.xyz

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    46678a8f3f7f6d0c345880505f9e39be

    SHA1

    98aea57b2a9938699d413a51d0327b496ad0a6c5

    SHA256

    a1072555a6e460c0115a17c0d20225b0868a1f617a0fa088181293b74145705e

    SHA512

    fe67731a1daf5be7968888881350d51b615b65fedbc06872eed2ed5eb0738f7c778618bd8915357b13b918a2bd3be868c8924650169e732ba24225b73e319cdf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    0f3350a43ebe108eddcb773843fd0b75

    SHA1

    52966d10dfbbbdf00fdadb898251774437d1c58a

    SHA256

    4295945650671fe3aa0d0e4f5b8ab6f0fb71a32c2f112dcb2ccd9c3ea3cc4774

    SHA512

    518dcd8b4350499699428ec9dcbe1443a60f035858c8d021dcd2f682d0dc580fff5aca0bedfaa0f14ad7910cf7bcb6e7da1fc9d3011f6e939f8f37d64462fa1a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    888KB

    MD5

    ae9bb8668b8afd40c9305886c6904399

    SHA1

    810113c11e98789cb607b897a5f144937083d692

    SHA256

    f80a3287b4e3de00f4b957a0f4e05b9f0aa181268dd041e94610cdac38246718

    SHA512

    3ac907f4defe0d8b8c37ffee305c13d4340667e2822ff748391121f775732b1d36d73dfd41bec18032ff113a80cad18bc319a0153541af2d8969b2a5aa174623

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.