Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29-09-2024 11:25
Behavioral task
behavioral1
Sample
aa.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
aa.exe
-
Size
202KB
-
MD5
ff2a52bb3dc9b6b725e725ab64ee2a4f
-
SHA1
78176de490ef034c8d3e9fd47682c8d1388be486
-
SHA256
3a7b3e8f648eef95b7eb3a702d6d5e3dc02c3071837fbcd9f10e06881e4b8022
-
SHA512
8f6d7ae22d8b59876b845d2013f4b6a9ffa5f6a5785d964faf9fb5d06955483787fe669177d1f9787b68596e58395fa4c81a1fcbdfe902f9aab26d76ba09f98e
-
SSDEEP
3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIRtPl1W4F0MpeCWBxwEJce:gLV6Bta6dtJmakIM5KlY4yMpeCoxwET
Malware Config
Signatures
-
Processes:
aa.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aa.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 19 IoCs
Processes:
flow ioc 22 2.tcp.eu.ngrok.io 24 2.tcp.eu.ngrok.io 36 2.tcp.eu.ngrok.io 8 2.tcp.eu.ngrok.io 12 2.tcp.eu.ngrok.io 34 2.tcp.eu.ngrok.io 38 2.tcp.eu.ngrok.io 4 2.tcp.eu.ngrok.io 10 2.tcp.eu.ngrok.io 16 2.tcp.eu.ngrok.io 20 2.tcp.eu.ngrok.io 26 2.tcp.eu.ngrok.io 32 2.tcp.eu.ngrok.io 2 2.tcp.eu.ngrok.io 14 2.tcp.eu.ngrok.io 28 2.tcp.eu.ngrok.io 30 2.tcp.eu.ngrok.io 6 2.tcp.eu.ngrok.io 18 2.tcp.eu.ngrok.io -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
aa.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
aa.exepid Process 2520 aa.exe 2520 aa.exe 2520 aa.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
aa.exepid Process 2520 aa.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
aa.exedescription pid Process Token: SeDebugPrivilege 2520 aa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa.exe"C:\Users\Admin\AppData\Local\Temp\aa.exe"1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2520