Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 14:11
Static task
static1
Behavioral task
behavioral1
Sample
appFile.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
appFile.exe
Resource
win10v2004-20241007-en
General
-
Target
appFile.exe
-
Size
820.8MB
-
MD5
f0deb098e981d57a337c2eeb0391af38
-
SHA1
731d91e3e09d3dc66e4a110ab8a403b4c7cd60c6
-
SHA256
e48bd580db2bda7c3db0565a44ad11ed75e1cbf72c955aa446e01976900dd6df
-
SHA512
869af0c641f3323226224e32475c00cb3319171ceda2e249964089eb4c262b646d7f0443bdd5366836b3130cdec3a34ac40468272acedf371842916c90a16566
-
SSDEEP
786432:DYCgVIfeQI8jPbZIbZ+6EUmtl0IUJ+Jnc9qDYSVs8eSD4yU6yF1hu/jjz:iVIxIUzZMZ+6EH0IUn8ekFyF1g/Pz
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 4700 eaUYIqD6abHXbNzeLxu3Ar3H.exe 3108 is-RB4U4.tmp 2616 jennysoftvideoeditor32.exe -
Loads dropped DLL 1 IoCs
pid Process 3108 is-RB4U4.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language appFile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eaUYIqD6abHXbNzeLxu3Ar3H.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language is-RB4U4.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jennysoftvideoeditor32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 336 appFile.exe 336 appFile.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 336 wrote to memory of 4700 336 appFile.exe 90 PID 336 wrote to memory of 4700 336 appFile.exe 90 PID 336 wrote to memory of 4700 336 appFile.exe 90 PID 4700 wrote to memory of 3108 4700 eaUYIqD6abHXbNzeLxu3Ar3H.exe 91 PID 4700 wrote to memory of 3108 4700 eaUYIqD6abHXbNzeLxu3Ar3H.exe 91 PID 4700 wrote to memory of 3108 4700 eaUYIqD6abHXbNzeLxu3Ar3H.exe 91 PID 3108 wrote to memory of 2616 3108 is-RB4U4.tmp 92 PID 3108 wrote to memory of 2616 3108 is-RB4U4.tmp 92 PID 3108 wrote to memory of 2616 3108 is-RB4U4.tmp 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\appFile.exe"C:\Users\Admin\AppData\Local\Temp\appFile.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Users\Admin\AppData\Local\Temp\XOBIrx3RX4wPqLaiTbpG\eaUYIqD6abHXbNzeLxu3Ar3H.exeC:\Users\Admin\AppData\Local\Temp\XOBIrx3RX4wPqLaiTbpG\eaUYIqD6abHXbNzeLxu3Ar3H.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\is-CGLR6.tmp\is-RB4U4.tmp"C:\Users\Admin\AppData\Local\Temp\is-CGLR6.tmp\is-RB4U4.tmp" /SL4 $B027A "C:\Users\Admin\AppData\Local\Temp\XOBIrx3RX4wPqLaiTbpG\eaUYIqD6abHXbNzeLxu3Ar3H.exe" 7622144 522243⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Jennysoft Video Editor\jennysoftvideoeditor32.exe"C:\Users\Admin\AppData\Local\Jennysoft Video Editor\jennysoftvideoeditor32.exe" -i4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.3MB
MD510c9c82818543db3ebead29f108bd6f6
SHA1847fecb4c57ad69e5693d450d5f27bd849639943
SHA256255b29ef1d13c40b6fae7951b7ca41b7f91ebf789ba52951f800990d2ac9e034
SHA5128c475c738da819b584bc6f2afbc1200741300aa6bfd96b88b31014eec7576086c95e44cf9ac76295ea7deac79baf6bbbadf177a67eea28ef74902b73703ab311
-
Filesize
7.5MB
MD532a50eddc21b5e55c7a98ac0190895b7
SHA12540ac77136dd02b07ba3b593a44cc7bbff1ec1a
SHA25620ae4dd835ad5eef5792b6821a380c4b3ca94767752a7d1f088e7e16bc3224b1
SHA5121ca4af319fde67d57b124893324783410ca43f7ecd5bc150aaf9a77c67f16bb7d46157d37f431db7f25dd455807edb0c28a0eb0441ecd271ec65a4acbcf7d2c0
-
Filesize
647KB
MD51fa266e1f8f7d0fc062b14ab5b7c1b9b
SHA1ede5ec8afe07221583cb33318a9932e925b89e59
SHA256abbb1a8feb63dd2b85b97a8e089d69999876c3531a68a6636a3336d9bcf3dbcb
SHA5129bc95d9a26e18b585c13c69de3d3e9d41939cd7cfa5d5c07a863c5baf3f7696df9a0cc6d6264735695c849408b74e28b8749aa3bd93631ac397b7877d674341d
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63