Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 00:20
Static task
static1
Behavioral task
behavioral1
Sample
2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe
Resource
win7-20240903-en
General
-
Target
2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe
-
Size
647KB
-
MD5
ff2da6a2d2e29d76e8ee869fa07f7530
-
SHA1
ece7a717f8a6e7973c78cadf87d6449e116fe9f4
-
SHA256
2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64d
-
SHA512
03334e7e0903ba6b4c4611443722f5c8cf07c974b7ca36d7e1a0a62a4c83bb13702d5b3761f72c288d2bf1e0fbcc4a878559a864fe3147ce8f51a00345818721
-
SSDEEP
12288:ra/rmU5El82jSlI/ExacF3gnxbCEjLz35gRHHi3xED:rav5UjSlI/EPFmOmLz35g9H4xED
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
firewall-tmp.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\firewall-tmp.lnk firewall-tmp.exe -
Executes dropped EXE 3 IoCs
Processes:
firewall-tmp.exefirewall-tmp.exefirewall-tmp.exepid Process 2308 firewall-tmp.exe 2736 firewall-tmp.exe 1108 firewall-tmp.exe -
Loads dropped DLL 5 IoCs
Processes:
2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exefirewall-tmp.exefirewall-tmp.exepid Process 2516 2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe 2516 2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe 2516 2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe 2308 firewall-tmp.exe 2736 firewall-tmp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
firewall-tmp.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" firewall-tmp.exe -
Processes:
firewall-tmp.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA firewall-tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
firewall-tmp.exedescription pid Process procid_target PID 2736 set thread context of 1108 2736 firewall-tmp.exe 35 -
Drops file in Program Files directory 2 IoCs
Processes:
firewall-tmp.exedescription ioc Process File created C:\Program Files (x86)\DPI Subsystem\dpiss.exe firewall-tmp.exe File opened for modification C:\Program Files (x86)\DPI Subsystem\dpiss.exe firewall-tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exefirewall-tmp.execmd.exefirewall-tmp.exefirewall-tmp.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language firewall-tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language firewall-tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language firewall-tmp.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
firewall-tmp.exefirewall-tmp.exepid Process 2736 firewall-tmp.exe 2736 firewall-tmp.exe 1108 firewall-tmp.exe 1108 firewall-tmp.exe 1108 firewall-tmp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
firewall-tmp.exepid Process 1108 firewall-tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firewall-tmp.exefirewall-tmp.exedescription pid Process Token: SeDebugPrivilege 2736 firewall-tmp.exe Token: SeDebugPrivilege 1108 firewall-tmp.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exefirewall-tmp.exefirewall-tmp.exedescription pid Process procid_target PID 2516 wrote to memory of 2308 2516 2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe 30 PID 2516 wrote to memory of 2308 2516 2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe 30 PID 2516 wrote to memory of 2308 2516 2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe 30 PID 2516 wrote to memory of 2308 2516 2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe 30 PID 2308 wrote to memory of 2244 2308 firewall-tmp.exe 32 PID 2308 wrote to memory of 2244 2308 firewall-tmp.exe 32 PID 2308 wrote to memory of 2244 2308 firewall-tmp.exe 32 PID 2308 wrote to memory of 2244 2308 firewall-tmp.exe 32 PID 2308 wrote to memory of 2736 2308 firewall-tmp.exe 34 PID 2308 wrote to memory of 2736 2308 firewall-tmp.exe 34 PID 2308 wrote to memory of 2736 2308 firewall-tmp.exe 34 PID 2308 wrote to memory of 2736 2308 firewall-tmp.exe 34 PID 2736 wrote to memory of 1108 2736 firewall-tmp.exe 35 PID 2736 wrote to memory of 1108 2736 firewall-tmp.exe 35 PID 2736 wrote to memory of 1108 2736 firewall-tmp.exe 35 PID 2736 wrote to memory of 1108 2736 firewall-tmp.exe 35 PID 2736 wrote to memory of 1108 2736 firewall-tmp.exe 35 PID 2736 wrote to memory of 1108 2736 firewall-tmp.exe 35 PID 2736 wrote to memory of 1108 2736 firewall-tmp.exe 35 PID 2736 wrote to memory of 1108 2736 firewall-tmp.exe 35 PID 2736 wrote to memory of 1108 2736 firewall-tmp.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe"C:\Users\Admin\AppData\Local\Temp\2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\firewall-tmp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\firewall-tmp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\cmd.execmd /c copy "C:\Users\Admin\AppData\Local\Temp\RarSFX0\*.*" "C:\Users\Admin\AppData\Roaming\Explorer" & exit3⤵
- System Location Discovery: System Language Discovery
PID:2244
-
-
C:\Users\Admin\AppData\Roaming\Explorer\firewall-tmp.exe"C:\Users\Admin\AppData\Roaming\Explorer\firewall-tmp.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Roaming\Explorer\firewall-tmp.exe"C:\Users\Admin\AppData\Roaming\Explorer\firewall-tmp.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
225KB
MD551f1ce5d176efbe96f90041f021ffc01
SHA1ea0e79728896bdb069a8415e39870e840016a067
SHA256608f68fcb0b4cbb3a2e688757ca461d14a1b15eb183f814fcfbeca882d9d1c6d
SHA51222c19013ee68e7f78633e6e3b1254fe99eb9ad6145dd1c0b0bc6e8dd952405449c55df49ae986d8886d62ce4e18b73764f98c39b806f57c56aadcbca7721619d
-
Filesize
1024KB
MD57f80c68c6a830a70710814f8f826f4f2
SHA1340d3725bd2fb249ef23b74695383acfc143f518
SHA25659148dbade1cb116605f776b6cad15e7cdd5fe0303cedaef657768face638f3e
SHA51277d3d9a24d815b8f3143a594dab9d07ddc77f40f0f26b9e12a7d22986f7505b3e02efe8bbe4caf2acc050777594e00246532bba39d45c451a68049c79cf8143d
-
Filesize
165KB
MD51c8bfc1aa27be1ef777946a6388ba879
SHA1a375d403558a3e2203237178163f65770f5ac702
SHA256ea6edfbb4f758fedc4e46256a30300bb80479cb854f83c51501e548b51bbfe72
SHA5128eccdd4d58008d6d872e3983242d1118c98583c12894dbee4d5fd6e9528cd7d6d73fad2bbc175a0ba57aa8dc6baae8caad2d816347544bda22adcf9468111d4e