Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 09:08
Behavioral task
behavioral1
Sample
17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b.exe
Resource
win7-20240903-en
General
-
Target
17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b.exe
-
Size
1.4MB
-
MD5
5cc10aef649b302d4ce70574a5a7e349
-
SHA1
d9a11539915e8440197caf9011fa8fcc10f343cf
-
SHA256
17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b
-
SHA512
6eb32608b71e285c7dfffd4113745a73e4d853cc487c2db9a4ea56c24bbb52a4b6aac7b25b645218a9c5f034fc64178e0c206bab498d0d6a1ab9fe708b57e4ab
-
SSDEEP
24576:1nYCjQA0H5CJZmpW25Wh4+SFC1nltmoDCOYqiYx4atw8pD0JrCjWl5lcbYMs:lYw0kJZmU25YDSFC1b+O/w8pUOjWhcb7
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3096-0-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-1-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-13-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-22-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-23-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-24-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-25-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-26-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-28-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-27-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-32-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-33-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-35-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-34-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-36-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-37-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-41-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-42-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-43-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-44-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-45-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-47-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-48-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-49-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-50-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-51-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-52-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-54-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-55-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-56-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-67-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-79-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-84-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-85-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-86-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-87-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-88-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-89-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-90-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-91-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-92-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-93-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-94-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-95-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-96-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-97-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect behavioral2/memory/3096-98-0x0000000000400000-0x000000000083E000-memory.dmp vmprotect -
pid Process 4116 cmd.exe 2712 ARP.EXE 2956 cmd.exe 464 ARP.EXE -
resource yara_rule behavioral2/memory/3096-4-0x00000000026B0000-0x00000000026D6000-memory.dmp upx behavioral2/memory/3096-3-0x00000000026B0000-0x00000000026D6000-memory.dmp upx behavioral2/memory/3096-71-0x00000000026B0000-0x00000000026D6000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3096 17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b.exe 3096 17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b.exe 3096 17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b.exe 3096 17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b.exe 3096 17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b.exe 3096 17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3096 wrote to memory of 4116 3096 17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b.exe 83 PID 3096 wrote to memory of 4116 3096 17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b.exe 83 PID 3096 wrote to memory of 4116 3096 17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b.exe 83 PID 4116 wrote to memory of 2712 4116 cmd.exe 85 PID 4116 wrote to memory of 2712 4116 cmd.exe 85 PID 4116 wrote to memory of 2712 4116 cmd.exe 85 PID 3096 wrote to memory of 2956 3096 17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b.exe 86 PID 3096 wrote to memory of 2956 3096 17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b.exe 86 PID 3096 wrote to memory of 2956 3096 17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b.exe 86 PID 2956 wrote to memory of 464 2956 cmd.exe 88 PID 2956 wrote to memory of 464 2956 cmd.exe 88 PID 2956 wrote to memory of 464 2956 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b.exe"C:\Users\Admin\AppData\Local\Temp\17070a505a105760ad12d0a6ce6d8de38bee37bcd1934066d794230e7c20c43b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\cmd.exe/c arp -a2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\ARP.EXEarp -a3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2712
-
-
-
C:\Windows\SysWOW64\cmd.exe/c arp -a2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\ARP.EXEarp -a3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:464
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
171B
MD570ac9a9bf3f6d849f38c02712197464a
SHA1f4ae64a18a7b72a3ae346cbc60ea0f3b4e1d418e
SHA25698b3e603dc7ba0bd6f8292a28fa28fe5e965ad362912f5abb91745506f4cc8ea
SHA512ffb3c9472cc65850093adf560074570f278d966aded50dd84f12626b143b5fa3f46743204225fc8ed1bf63410025afd914e386fb87931695142432387432a1be