Analysis
-
max time kernel
36s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
28-09-2024 19:41
Static task
static1
Behavioral task
behavioral1
Sample
6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exe
Resource
win7-20240704-en
General
-
Target
6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exe
-
Size
282KB
-
MD5
0db1a05d8dbc73507a535b122cbfff85
-
SHA1
5a4fca1ed651f9ce19f19a2bc51868ee9b95e1ef
-
SHA256
6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6
-
SHA512
95541c726c5773850aba1e875ae5415b8e34e02fd96a738c494aeece6d2b4f7b601536b54d07333cc9f4744107a7baf67b2142bbf121328ae4ae32c6b2363c93
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfh:boSeGUA5YZazpXUmZhZ6SA
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
a1punf5t2of.exepid Process 2812 a1punf5t2of.exe -
Loads dropped DLL 2 IoCs
Processes:
6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exea1punf5t2of.exepid Process 1296 6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exe 2812 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" 6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exea1punf5t2of.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exea1punf5t2of.exedescription pid Process procid_target PID 1296 wrote to memory of 2812 1296 6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exe 31 PID 1296 wrote to memory of 2812 1296 6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exe 31 PID 1296 wrote to memory of 2812 1296 6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exe 31 PID 1296 wrote to memory of 2812 1296 6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exe 31 PID 1296 wrote to memory of 2812 1296 6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exe 31 PID 1296 wrote to memory of 2812 1296 6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exe 31 PID 1296 wrote to memory of 2812 1296 6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exe 31 PID 2812 wrote to memory of 2628 2812 a1punf5t2of.exe 32 PID 2812 wrote to memory of 2628 2812 a1punf5t2of.exe 32 PID 2812 wrote to memory of 2628 2812 a1punf5t2of.exe 32 PID 2812 wrote to memory of 2628 2812 a1punf5t2of.exe 32 PID 2812 wrote to memory of 2628 2812 a1punf5t2of.exe 32 PID 2812 wrote to memory of 2628 2812 a1punf5t2of.exe 32 PID 2812 wrote to memory of 2628 2812 a1punf5t2of.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exe"C:\Users\Admin\AppData\Local\Temp\6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵PID:2628
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
282KB
MD5a01c1073bdbcef71341936c6c45a1f4d
SHA145ae922e5fd9eeafbba315c162dd8f1e3c581518
SHA25691c3616d3cbc050874a835690c01f5186173201fb572bca95cbf5d569225cd28
SHA512d7dcadab8d313ab061e5119816057d233b87f25a2d70188eacc3c38fd7dbada475e1fb239d98e149b45585bfc21970e22be5640787920abd545cb73191b9d9d6