Analysis
-
max time kernel
35s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 19:06
Static task
static1
Behavioral task
behavioral1
Sample
097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe
Resource
win7-20240903-en
General
-
Target
097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe
-
Size
282KB
-
MD5
3fdfed2627088eb9c5a42ea698fdea68
-
SHA1
bc59331c2b825fe5c16417eed4d4e804c664cea7
-
SHA256
097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf
-
SHA512
fd14b5f5dc0653306b7a614ac6e18c8def5dc325761301a6c43f96080b59d14f5607e9d7506f109439a07f37691cd9954ee78916edea8e68370d458a9a1853cf
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkf4:boSeGUA5YZazpXUmZhZ6SZ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
a1punf5t2of.exepid Process 2732 a1punf5t2of.exe -
Loads dropped DLL 2 IoCs
Processes:
097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exea1punf5t2of.exepid Process 2668 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe 2732 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exea1punf5t2of.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exea1punf5t2of.exedescription pid Process procid_target PID 2668 wrote to memory of 2732 2668 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe 30 PID 2668 wrote to memory of 2732 2668 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe 30 PID 2668 wrote to memory of 2732 2668 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe 30 PID 2668 wrote to memory of 2732 2668 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe 30 PID 2668 wrote to memory of 2732 2668 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe 30 PID 2668 wrote to memory of 2732 2668 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe 30 PID 2668 wrote to memory of 2732 2668 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe 30 PID 2732 wrote to memory of 1484 2732 a1punf5t2of.exe 31 PID 2732 wrote to memory of 1484 2732 a1punf5t2of.exe 31 PID 2732 wrote to memory of 1484 2732 a1punf5t2of.exe 31 PID 2732 wrote to memory of 1484 2732 a1punf5t2of.exe 31 PID 2732 wrote to memory of 1484 2732 a1punf5t2of.exe 31 PID 2732 wrote to memory of 1484 2732 a1punf5t2of.exe 31 PID 2732 wrote to memory of 1484 2732 a1punf5t2of.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe"C:\Users\Admin\AppData\Local\Temp\097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵PID:1484
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
282KB
MD5439bacb03b13d864457de04971f4a79d
SHA16e1b4c2ca7fc33a2f1eb355cc8c0743f2a2a901d
SHA256ed66ed36db3bce4c6b16f97220e3a82e7900f1bdba38c7140d9ff26faf78eaec
SHA5122b4a4084b6a9594ab6ce58651489a75268e3feb2b77e393324fc25fb5796dfc1a2c59de4bcfe64ae4196f65f66e7fee794a1e2bd433bbde798b4322b295d3d59