Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 21:54
Static task
static1
Behavioral task
behavioral1
Sample
fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe
Resource
win7-20240903-en
General
-
Target
fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe
-
Size
359KB
-
MD5
8168ebc24991383d3ca87a3641cddf50
-
SHA1
099589f333ff8cab37ea6dcbc27b5873305b125a
-
SHA256
fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dff
-
SHA512
2a5131ce1e50ece6873899d2f90659bf5a5a1b4f77a38f32e714665507f9b4bfb8042d4568692c535cd8a150d7ef42354504a5819984944fc074a1c263b5bc08
-
SSDEEP
6144:VT17ZpbhRqk8WwtB17ZpbhRBk8Wwt0717ZpbhRqk8WwtwDdG/cw:Xqk8WwtTBk8WwtAqk8Wwtwuc
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Temp\\MCJHMhKks\\SRqRIFfSc.exe" pandora.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vj.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vj.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KvtuGnRuDM.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KvtuGnRuDM.js wscript.exe -
Executes dropped EXE 4 IoCs
pid Process 2896 awesome.exe 2088 gasmask.exe 2448 pandora.exe 2136 Client.exe -
Loads dropped DLL 9 IoCs
pid Process 2768 fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe 2896 awesome.exe 2896 awesome.exe 2088 gasmask.exe 1876 WerFault.exe 1876 WerFault.exe 1876 WerFault.exe 1876 WerFault.exe 1876 WerFault.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\3FZN7FD64V = "\"C:\\Users\\Admin\\AppData\\Roaming\\vj.js\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\B5BZDY82CV = "\"C:\\Users\\Admin\\AppData\\Roaming\\eReceipt.js\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\KvtuGnRuDM.js\"" wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1876 2136 WerFault.exe 35 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gasmask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ComputerDefaults.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awesome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pandora.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\ms-settings pandora.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\ms-settings\shell\open pandora.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\ms-settings\shell\open\command\ = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\\Users\\Admin\\AppData\\Local\\Temp\\MCJHMhKks\\SRqRIFfSc.exe'" pandora.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\ms-settings\shell\open\command\DelegateExecute pandora.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\ms-settings\shell\open\command pandora.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\ms-settings\shell pandora.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2136 Client.exe 2448 pandora.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2448 pandora.exe Token: SeDebugPrivilege 2136 Client.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 2768 wrote to memory of 2568 2768 fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe 30 PID 2768 wrote to memory of 2568 2768 fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe 30 PID 2768 wrote to memory of 2568 2768 fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe 30 PID 2768 wrote to memory of 2568 2768 fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe 30 PID 2768 wrote to memory of 2724 2768 fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe 31 PID 2768 wrote to memory of 2724 2768 fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe 31 PID 2768 wrote to memory of 2724 2768 fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe 31 PID 2768 wrote to memory of 2724 2768 fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe 31 PID 2768 wrote to memory of 2896 2768 fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe 32 PID 2768 wrote to memory of 2896 2768 fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe 32 PID 2768 wrote to memory of 2896 2768 fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe 32 PID 2768 wrote to memory of 2896 2768 fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe 32 PID 2896 wrote to memory of 2088 2896 awesome.exe 33 PID 2896 wrote to memory of 2088 2896 awesome.exe 33 PID 2896 wrote to memory of 2088 2896 awesome.exe 33 PID 2896 wrote to memory of 2088 2896 awesome.exe 33 PID 2896 wrote to memory of 2448 2896 awesome.exe 34 PID 2896 wrote to memory of 2448 2896 awesome.exe 34 PID 2896 wrote to memory of 2448 2896 awesome.exe 34 PID 2896 wrote to memory of 2448 2896 awesome.exe 34 PID 2088 wrote to memory of 2136 2088 gasmask.exe 35 PID 2088 wrote to memory of 2136 2088 gasmask.exe 35 PID 2088 wrote to memory of 2136 2088 gasmask.exe 35 PID 2088 wrote to memory of 2136 2088 gasmask.exe 35 PID 2568 wrote to memory of 1436 2568 WScript.exe 36 PID 2568 wrote to memory of 1436 2568 WScript.exe 36 PID 2568 wrote to memory of 1436 2568 WScript.exe 36 PID 2568 wrote to memory of 1436 2568 WScript.exe 36 PID 2136 wrote to memory of 1992 2136 Client.exe 39 PID 2136 wrote to memory of 1992 2136 Client.exe 39 PID 2136 wrote to memory of 1992 2136 Client.exe 39 PID 2448 wrote to memory of 1784 2448 pandora.exe 38 PID 2136 wrote to memory of 1992 2136 Client.exe 39 PID 2448 wrote to memory of 1784 2448 pandora.exe 38 PID 2448 wrote to memory of 1784 2448 pandora.exe 38 PID 2448 wrote to memory of 1784 2448 pandora.exe 38 PID 1992 wrote to memory of 3052 1992 explorer.exe 40 PID 1992 wrote to memory of 3052 1992 explorer.exe 40 PID 1992 wrote to memory of 3052 1992 explorer.exe 40 PID 2136 wrote to memory of 1876 2136 Client.exe 44 PID 2136 wrote to memory of 1876 2136 Client.exe 44 PID 2136 wrote to memory of 1876 2136 Client.exe 44 PID 2136 wrote to memory of 1876 2136 Client.exe 44 PID 2448 wrote to memory of 1632 2448 pandora.exe 45 PID 2448 wrote to memory of 1632 2448 pandora.exe 45 PID 2448 wrote to memory of 1632 2448 pandora.exe 45 PID 2448 wrote to memory of 1632 2448 pandora.exe 45 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe"C:\Users\Admin\AppData\Local\Temp\fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\eReceipt.js"2⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KvtuGnRuDM.js"3⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1436
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vj.js"2⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2724
-
-
C:\Users\Admin\AppData\Roaming\awesome.exe"C:\Users\Admin\AppData\Roaming\awesome.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\gasmask.exe"C:\Users\Admin\AppData\Local\Temp\gasmask.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\ctfmon.exectfmon.exe6⤵PID:3052
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 9325⤵
- Loads dropped DLL
- Program crash
PID:1876
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\pandora.exe"C:\Users\Admin\AppData\Local\Temp\pandora.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵PID:1784
-
-
C:\Windows\SysWOW64\ComputerDefaults.exe"C:\Windows\System32\ComputerDefaults.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1632
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5e1825bba6bb57f8087e9e56b88d1e818
SHA14d8aaac848eb45dcebcb43dbbc681003000d18f7
SHA256bf8565fc61324b0d42c8a8f1a6ae3cfbbb5d0d717fe7fa9250c6458958019958
SHA512b811eefcf26eec307dcd6c4411409b391af7837704da301456220be1d026cebb9573a308ea9354d37f3ca5da967386f6e432dbe8de186bda31435ea40cdeba75
-
Filesize
23KB
MD534996db3bbafb0cbc1cafc05bf07d37d
SHA11614af664b9729891a6f0b6f9c379db9642ab044
SHA256b67d9cbf7fb6a22f88674808551e5d14c45b7167058ada5f5a22baf63ca93af6
SHA51278892037bdf71a3683ce1bd3bd58e4d8730643af032a88f2e339c7107044958cb98b3b34eacdcd190dee227b029feee47059fe9d696df43b35edd05f26f0d68d
-
Filesize
3KB
MD5fa29cac3eb51372529b68ff16b53c45a
SHA1e3ec1169577ffe8f9c3bdb4b055fdb5b415f3843
SHA256c1efbe1b7bec3aba906d9e6c8c1216580735d5acd56b65cb4d6e8d3217d6ffa6
SHA512357c386775665e8d5a54c3f25d544711f0b97a9aa95b6f2cf74dc05083b2b606bb83a0e5c696676b3caffcc5cc438b59efbfe7e7c0abf13c1cb1f14c68f6f463
-
Filesize
98KB
MD5b160c1fdb54ebf1a5e20b371c1456f99
SHA15ebf1a9d7243bb2db995f0084558cb877b050333
SHA256f8f76287ec03bf10a54cce992ef07a6e396f619907c27423892e0a7485977bf6
SHA512f9af5cedca134ca8a6bd615121b515c8ee6da535e5390d18fb35997fe4d04a982dd13112b18b179d3b3e52c7654ec550b1273007fdfd54fc7c35f031a8b50142
-
Filesize
209KB
MD519ed0f1c419f170d47e782527cbf461c
SHA14b9bba4a75eea4155b20c189201777199873d9e7
SHA25662879e612c4f99fe060b4b9d93456ac1beb18d1a0978a0fc9e9e96fc20b83cc4
SHA51285b358a5e59dad683055de4479cf92432ca6fd1e8539e8fdd83cff7c0d18e49a8a0c7c1038774db751ef8a25e66adc79eab6640ecc803e6abef34b335d365008
-
Filesize
98KB
MD5c5920f986d204334e5f6036b8259d765
SHA1b86016db0d94801b8705d6c16029c112ca7e4678
SHA256249b2e9a08c06d3bb0ceee2de9affb8b50be4f776e9eece4e918acda0dcd58f5
SHA512866ed4bc5ec387489b6a396138f36036ba470e5b1459f502f92ffee75ab3a2559031bd02f28c2532c70d2e63134668ede0897a447930631d8ffcd52b4d880761
-
Filesize
319KB
MD5a0618f0f499ffe104f2fd9a645f23550
SHA1b8d7a2a3f551d6f4d7c74dbe9ddef7bc0e59cd94
SHA256691fb560ff1bea5fa71c5fac45a61ec33213dbd1f2b62cda363942a4099b7480
SHA5120c07c9583b4aee63049300d39156ecd39900c554a80c1f3d316996087a8b71a59939ac0feebb9618ce22db6968ba50bbd3b8b27153bd40963171c4fef5975e3b