Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2024 05:01
Static task
static1
Behavioral task
behavioral1
Sample
9ce043c61f6bc3524581ab4e064895a0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
9ce043c61f6bc3524581ab4e064895a0N.exe
Resource
win10v2004-20240802-en
General
-
Target
9ce043c61f6bc3524581ab4e064895a0N.exe
-
Size
894KB
-
MD5
9ce043c61f6bc3524581ab4e064895a0
-
SHA1
c51f5b9c868d5d04dd90a6722430c12b4bbb15db
-
SHA256
d68b311b164166b7443bbfd4eb5dcd2e1e41405429f960c2be1e8b3168bb6962
-
SHA512
caa2c3a73f79937c12d6036192d73600f7b6f852aee22c5834f41f367739d92a77faf5b6610d607c1d97f8f1662b85b3c908d30bcec2f44dea81b7b5ea63a34f
-
SSDEEP
12288:4jauDReWCm+M5Pas4P98bffhKtWFC/bDFjKpuaCJ:4DD+m95C1P9Of7FC/b5jaCJ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1228 xagtd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\xagtd.exe" xagtd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ce043c61f6bc3524581ab4e064895a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xagtd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3452 wrote to memory of 1228 3452 9ce043c61f6bc3524581ab4e064895a0N.exe 92 PID 3452 wrote to memory of 1228 3452 9ce043c61f6bc3524581ab4e064895a0N.exe 92 PID 3452 wrote to memory of 1228 3452 9ce043c61f6bc3524581ab4e064895a0N.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ce043c61f6bc3524581ab4e064895a0N.exe"C:\Users\Admin\AppData\Local\Temp\9ce043c61f6bc3524581ab4e064895a0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\ProgramData\xagtd.exe"C:\ProgramData\xagtd.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3820,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4380 /prefetch:81⤵PID:4592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
894KB
MD5f70d0cef318c8a566a12e17661d59d03
SHA1e9492fcf45c7d6b5e0bc5b0ac937e347af3982f1
SHA2562f577a3249061a67800468e016f7fc6c9df570cb43e6bee1807c8d50d9f9013d
SHA5125c6bf7723a8933cabce644c0ca93606692a03f774d8b5c111e77a352d55b5ccb626c6f06b8e6ffae8cd0031e5addd67e11cd5512e26737dce6608a3cd1ec808c
-
Filesize
136KB
MD5cb4c442a26bb46671c638c794bf535af
SHA18a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf
SHA256f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25
SHA512074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3
-
Filesize
757KB
MD5a6f73265343a3819599bf22697746761
SHA1a347dcc709c071f330d4f5433ff2180bca3da760
SHA256714ab624a57ef37ea8fcead858264a3b474df797377787b52daf5b37a2c7abae
SHA512bae1e5fb811ab381a504a292a2121131ab64773fe60dd051a16ec4d21d7410d679983a7a947f8225cb32020dc53feeb7fdf7cf2c70acbe1388cf415e1cd4d37b