Analysis
-
max time kernel
34s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 01:31
Static task
static1
Behavioral task
behavioral1
Sample
2f357264dba5baf086f5e2993a41b2a5.exe
Resource
win10v2004-20240802-en
General
-
Target
2f357264dba5baf086f5e2993a41b2a5.exe
-
Size
151KB
-
MD5
2f357264dba5baf086f5e2993a41b2a5
-
SHA1
7829842d7fa7e2cf66062afd1e244638dac103fd
-
SHA256
3ba2baa0f6473b8231c03600e866651c4dff9db5ef94219fc2f400c807572c82
-
SHA512
9d324dd89e41062d1abb797e31413dbb00d52afe2552d28bcc91623e00681932d4a34e03a992ab519c208fc083e07c996edc376100f10e1df0373ca99461c900
-
SSDEEP
3072:q/4u3Yq6fuqYb+NqclIa6oyqIhdwGatrECWdKZ/fN2+EHPozA:xu3OeMN+FlmdECWGXN+9
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Un_A.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Un_A.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4988 netsh.exe -
Deletes itself 1 IoCs
pid Process 4528 Un_A.exe -
Executes dropped EXE 1 IoCs
pid Process 4528 Un_A.exe -
Loads dropped DLL 16 IoCs
pid Process 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2f357264dba5baf086f5e2993a41b2a5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Un_A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe -
Gathers network information 2 TTPs 9 IoCs
Uses commandline utility to view network configuration.
pid Process 3020 ipconfig.exe 2100 ipconfig.exe 4892 ipconfig.exe 932 ipconfig.exe 1776 ipconfig.exe 2104 ipconfig.exe 4940 ipconfig.exe 1344 ipconfig.exe 3504 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe 4528 Un_A.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 4080 wrote to memory of 4528 4080 2f357264dba5baf086f5e2993a41b2a5.exe 82 PID 4080 wrote to memory of 4528 4080 2f357264dba5baf086f5e2993a41b2a5.exe 82 PID 4080 wrote to memory of 4528 4080 2f357264dba5baf086f5e2993a41b2a5.exe 82 PID 4528 wrote to memory of 3020 4528 Un_A.exe 90 PID 4528 wrote to memory of 3020 4528 Un_A.exe 90 PID 4528 wrote to memory of 3020 4528 Un_A.exe 90 PID 4528 wrote to memory of 2100 4528 Un_A.exe 92 PID 4528 wrote to memory of 2100 4528 Un_A.exe 92 PID 4528 wrote to memory of 2100 4528 Un_A.exe 92 PID 4528 wrote to memory of 4940 4528 Un_A.exe 94 PID 4528 wrote to memory of 4940 4528 Un_A.exe 94 PID 4528 wrote to memory of 4940 4528 Un_A.exe 94 PID 4528 wrote to memory of 4892 4528 Un_A.exe 96 PID 4528 wrote to memory of 4892 4528 Un_A.exe 96 PID 4528 wrote to memory of 4892 4528 Un_A.exe 96 PID 4528 wrote to memory of 1344 4528 Un_A.exe 98 PID 4528 wrote to memory of 1344 4528 Un_A.exe 98 PID 4528 wrote to memory of 1344 4528 Un_A.exe 98 PID 4528 wrote to memory of 932 4528 Un_A.exe 100 PID 4528 wrote to memory of 932 4528 Un_A.exe 100 PID 4528 wrote to memory of 932 4528 Un_A.exe 100 PID 4528 wrote to memory of 3504 4528 Un_A.exe 102 PID 4528 wrote to memory of 3504 4528 Un_A.exe 102 PID 4528 wrote to memory of 3504 4528 Un_A.exe 102 PID 4528 wrote to memory of 1776 4528 Un_A.exe 104 PID 4528 wrote to memory of 1776 4528 Un_A.exe 104 PID 4528 wrote to memory of 1776 4528 Un_A.exe 104 PID 4528 wrote to memory of 2104 4528 Un_A.exe 106 PID 4528 wrote to memory of 2104 4528 Un_A.exe 106 PID 4528 wrote to memory of 2104 4528 Un_A.exe 106 PID 4528 wrote to memory of 4988 4528 Un_A.exe 108 PID 4528 wrote to memory of 4988 4528 Un_A.exe 108 PID 4528 wrote to memory of 4988 4528 Un_A.exe 108 PID 4528 wrote to memory of 3240 4528 Un_A.exe 110 PID 4528 wrote to memory of 3240 4528 Un_A.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f357264dba5baf086f5e2993a41b2a5.exe"C:\Users\Admin\AppData\Local\Temp\2f357264dba5baf086f5e2993a41b2a5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Drops file in Drivers directory
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:3020
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2100
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:4940
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:4892
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1344
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:932
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:3504
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1776
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2104
-
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall delete rule name="Block CCleaner"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4988
-
-
C:\Windows\SYSTEM32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\CCleaner" /f3⤵PID:3240
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5109b201717ab5ef9b5628a9f3efef36f
SHA198db1f0cc5f110438a02015b722778af84d50ea7
SHA25620e642707ef82852bcf153254cb94b629b93ee89a8e8a03f838eef6cbb493319
SHA512174e241863294c12d0705c9d2de92f177eb8f3d91125b183d8d4899c89b9a202a4c7a81e0a541029a4e52513eee98029196a4c3b8663b479e69116347e5de5b4
-
Filesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
Filesize
7KB
MD5f27689c513e7d12c7c974d5f8ef710d6
SHA1e305f2a2898d765a64c82c449dfb528665b4a892
SHA2561f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47
SHA512734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc
-
Filesize
4KB
MD5f0438a894f3a7e01a4aae8d1b5dd0289
SHA1b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA25630c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7
-
Filesize
5KB
MD5b7d0d765c151d235165823b48554e442
SHA1fe530e6c6fd60392d4ce611b21ec9daad3f1bc84
SHA256a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587
SHA5125d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66
-
Filesize
1KB
MD53a19121498aa4a500f33519964565b99
SHA1a881fe7bce9804b653a087a073c97472ca27fc14
SHA256e5c414ee59ffc5fe19bf968ecadd6271ffcd1fc22b51ef772dfcfe956579f9ec
SHA512c70fdacebd725b43fe65f84cbf9d7ddf9e9c95919b58d772211b2aa9fc2f24639fb13080a8fb38a6688ffa95ca14d4855e882f8f92a346bae6c134db1cffafc9
-
Filesize
1KB
MD5008fba141529811128b8cd5f52300f6e
SHA11a350b35d82cb4bd7a924b6840c36a678105f793
SHA256ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84
SHA51280189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc
-
Filesize
151KB
MD52f357264dba5baf086f5e2993a41b2a5
SHA17829842d7fa7e2cf66062afd1e244638dac103fd
SHA2563ba2baa0f6473b8231c03600e866651c4dff9db5ef94219fc2f400c807572c82
SHA5129d324dd89e41062d1abb797e31413dbb00d52afe2552d28bcc91623e00681932d4a34e03a992ab519c208fc083e07c996edc376100f10e1df0373ca99461c900