Analysis

  • max time kernel
    110s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2024, 05:08

General

  • Target

    d4b14f9e906bda1e3f36d43a4ee60c10N.exe

  • Size

    18KB

  • MD5

    d4b14f9e906bda1e3f36d43a4ee60c10

  • SHA1

    91616563a07b35bc14da2a7d5a128759264eebaf

  • SHA256

    9eec7cb73084a7eca33e3471dafb6df8bce0581a23e3d3bb49638304b973f907

  • SHA512

    1cee27ea353a4d64be72ce9e610dad6abbeafd1a43a90c581b45badead5c151b57bbbddb23cda5b79a5909fc1a5295f3df989b5d0442cb684c5096691d269b31

  • SSDEEP

    384:4N+vQdMLf+gDqDrYbaLT/2TIOhBo1Zl8SXnNs6DUh3:GuKMLf+gmrNLq3DoPBO

Score
6/10

Malware Config

Signatures

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 2 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4b14f9e906bda1e3f36d43a4ee60c10N.exe
    "C:\Users\Admin\AppData\Local\Temp\d4b14f9e906bda1e3f36d43a4ee60c10N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c net stop sharedaccess
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Windows\SysWOW64\net.exe
        net stop sharedaccess
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:272
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop sharedaccess
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2824
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c net stop KAVStart
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\net.exe
        net stop KAVStart
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop KAVStart
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2732
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im 360Safe.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1464
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im 360tray.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2260-2-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/2260-5-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB