Analysis
-
max time kernel
111s -
max time network
95s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 11:14
Behavioral task
behavioral1
Sample
2d39a6eeb83e7415900803b903ba2fa0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2d39a6eeb83e7415900803b903ba2fa0N.exe
Resource
win10v2004-20240802-en
General
-
Target
2d39a6eeb83e7415900803b903ba2fa0N.exe
-
Size
168KB
-
MD5
2d39a6eeb83e7415900803b903ba2fa0
-
SHA1
a50b697ec23b8591d6c7a8524f32dce553ccd146
-
SHA256
59040f8ff05b3023cbd02aab67e1292922d9ebdf7ae90c16bb255f0a230dbdc5
-
SHA512
3ce4555ece215a6f602ca4985b665c5b167e2e2ea2030b56771a91ff363647535d74e383a2738d788e4404b3a2a5212fe24b043c8b9c266bcd7e957fb6c6b001
-
SSDEEP
1536:i2WDcOpULCH0a+TNXyyXetH28JZveKivnia:zWDuLzZXyyXeECveDnH
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2400 attrib.exe -
Deletes itself 1 IoCs
pid Process 2176 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2772 rwmhost.exe -
resource yara_rule behavioral1/memory/3028-0-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0003000000012000-3.dat upx behavioral1/memory/2772-5-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3028-6-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2772-7-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Debug\rwmhost.exe 2d39a6eeb83e7415900803b903ba2fa0N.exe File opened for modification C:\Windows\Debug\rwmhost.exe 2d39a6eeb83e7415900803b903ba2fa0N.exe File opened for modification C:\Windows\Debug\rwmhost.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rwmhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2d39a6eeb83e7415900803b903ba2fa0N.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rwmhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rwmhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3028 2d39a6eeb83e7415900803b903ba2fa0N.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2400 3028 2d39a6eeb83e7415900803b903ba2fa0N.exe 30 PID 3028 wrote to memory of 2400 3028 2d39a6eeb83e7415900803b903ba2fa0N.exe 30 PID 3028 wrote to memory of 2400 3028 2d39a6eeb83e7415900803b903ba2fa0N.exe 30 PID 3028 wrote to memory of 2400 3028 2d39a6eeb83e7415900803b903ba2fa0N.exe 30 PID 3028 wrote to memory of 2176 3028 2d39a6eeb83e7415900803b903ba2fa0N.exe 33 PID 3028 wrote to memory of 2176 3028 2d39a6eeb83e7415900803b903ba2fa0N.exe 33 PID 3028 wrote to memory of 2176 3028 2d39a6eeb83e7415900803b903ba2fa0N.exe 33 PID 3028 wrote to memory of 2176 3028 2d39a6eeb83e7415900803b903ba2fa0N.exe 33 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2400 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d39a6eeb83e7415900803b903ba2fa0N.exe"C:\Users\Admin\AppData\Local\Temp\2d39a6eeb83e7415900803b903ba2fa0N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\attrib.exeattrib +a +s +h +r C:\Windows\Debug\rwmhost.exe2⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2400
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2D39A6~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2176
-
-
C:\Windows\Debug\rwmhost.exeC:\Windows\Debug\rwmhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5e8b3c6f92d77ce193d9613ab50ed3de1
SHA1b660ea5e59a803fedbe22e7746ca64c6c06b94bb
SHA2561d1c4320fd22ea9ab92834b29f9ab2d40f03ba198f010f73bb492fb0dcba6387
SHA512ca114cc46c614eda7fbddf4b094298ff5a22a2566e903148952e62bdaa32bd3ff51cb870bb4212e146dbcc429b317f7eba954709be1b126bb6f6c689d503b1ad