Analysis
-
max time kernel
110s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 05:08
Static task
static1
Behavioral task
behavioral1
Sample
d4b14f9e906bda1e3f36d43a4ee60c10N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d4b14f9e906bda1e3f36d43a4ee60c10N.exe
Resource
win10v2004-20240802-en
General
-
Target
d4b14f9e906bda1e3f36d43a4ee60c10N.exe
-
Size
18KB
-
MD5
d4b14f9e906bda1e3f36d43a4ee60c10
-
SHA1
91616563a07b35bc14da2a7d5a128759264eebaf
-
SHA256
9eec7cb73084a7eca33e3471dafb6df8bce0581a23e3d3bb49638304b973f907
-
SHA512
1cee27ea353a4d64be72ce9e610dad6abbeafd1a43a90c581b45badead5c151b57bbbddb23cda5b79a5909fc1a5295f3df989b5d0442cb684c5096691d269b31
-
SSDEEP
384:4N+vQdMLf+gDqDrYbaLT/2TIOhBo1Zl8SXnNs6DUh3:GuKMLf+gmrNLq3DoPBO
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4b14f9e906bda1e3f36d43a4ee60c10N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Kills process with taskkill 2 IoCs
pid Process 1464 taskkill.exe 2080 taskkill.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2080 taskkill.exe Token: SeDebugPrivilege 1464 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2260 d4b14f9e906bda1e3f36d43a4ee60c10N.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2260 wrote to memory of 2356 2260 d4b14f9e906bda1e3f36d43a4ee60c10N.exe 29 PID 2260 wrote to memory of 2356 2260 d4b14f9e906bda1e3f36d43a4ee60c10N.exe 29 PID 2260 wrote to memory of 2356 2260 d4b14f9e906bda1e3f36d43a4ee60c10N.exe 29 PID 2260 wrote to memory of 2356 2260 d4b14f9e906bda1e3f36d43a4ee60c10N.exe 29 PID 2260 wrote to memory of 2852 2260 d4b14f9e906bda1e3f36d43a4ee60c10N.exe 31 PID 2260 wrote to memory of 2852 2260 d4b14f9e906bda1e3f36d43a4ee60c10N.exe 31 PID 2260 wrote to memory of 2852 2260 d4b14f9e906bda1e3f36d43a4ee60c10N.exe 31 PID 2260 wrote to memory of 2852 2260 d4b14f9e906bda1e3f36d43a4ee60c10N.exe 31 PID 2260 wrote to memory of 1464 2260 d4b14f9e906bda1e3f36d43a4ee60c10N.exe 32 PID 2260 wrote to memory of 1464 2260 d4b14f9e906bda1e3f36d43a4ee60c10N.exe 32 PID 2260 wrote to memory of 1464 2260 d4b14f9e906bda1e3f36d43a4ee60c10N.exe 32 PID 2260 wrote to memory of 1464 2260 d4b14f9e906bda1e3f36d43a4ee60c10N.exe 32 PID 2260 wrote to memory of 2080 2260 d4b14f9e906bda1e3f36d43a4ee60c10N.exe 34 PID 2260 wrote to memory of 2080 2260 d4b14f9e906bda1e3f36d43a4ee60c10N.exe 34 PID 2260 wrote to memory of 2080 2260 d4b14f9e906bda1e3f36d43a4ee60c10N.exe 34 PID 2260 wrote to memory of 2080 2260 d4b14f9e906bda1e3f36d43a4ee60c10N.exe 34 PID 2356 wrote to memory of 272 2356 cmd.exe 35 PID 2356 wrote to memory of 272 2356 cmd.exe 35 PID 2356 wrote to memory of 272 2356 cmd.exe 35 PID 2356 wrote to memory of 272 2356 cmd.exe 35 PID 272 wrote to memory of 2824 272 net.exe 38 PID 272 wrote to memory of 2824 272 net.exe 38 PID 272 wrote to memory of 2824 272 net.exe 38 PID 272 wrote to memory of 2824 272 net.exe 38 PID 2852 wrote to memory of 2988 2852 cmd.exe 39 PID 2852 wrote to memory of 2988 2852 cmd.exe 39 PID 2852 wrote to memory of 2988 2852 cmd.exe 39 PID 2852 wrote to memory of 2988 2852 cmd.exe 39 PID 2988 wrote to memory of 2732 2988 net.exe 40 PID 2988 wrote to memory of 2732 2988 net.exe 40 PID 2988 wrote to memory of 2732 2988 net.exe 40 PID 2988 wrote to memory of 2732 2988 net.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4b14f9e906bda1e3f36d43a4ee60c10N.exe"C:\Users\Admin\AppData\Local\Temp\d4b14f9e906bda1e3f36d43a4ee60c10N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop sharedaccess2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\net.exenet stop sharedaccess3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess4⤵
- System Location Discovery: System Language Discovery
PID:2824
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop KAVStart2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\net.exenet stop KAVStart3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KAVStart4⤵
- System Location Discovery: System Language Discovery
PID:2732
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360Safe.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2080
-